CA2346709A1 - Remote physician authentication service - Google Patents
Remote physician authentication service Download PDFInfo
- Publication number
- CA2346709A1 CA2346709A1 CA002346709A CA2346709A CA2346709A1 CA 2346709 A1 CA2346709 A1 CA 2346709A1 CA 002346709 A CA002346709 A CA 002346709A CA 2346709 A CA2346709 A CA 2346709A CA 2346709 A1 CA2346709 A1 CA 2346709A1
- Authority
- CA
- Canada
- Prior art keywords
- user
- information
- subscribing
- verification
- site
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2115—Third party
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
A method and system of remote verification of an end user of web page with controlled access. Users are issued a user name and password which can be used to access any site which subscribes to the described verification system. A
user connects to a web site which contains desired information. When the user attempts to enter an area (or page) of the site with controlled access the pre-issued user name and password are requested. Once this information is entered, the subscribing website sends a secure (encrypted) query to a remote password database server. The supplied information is checked against a verification database. A yes or no secure verification is sent back to the subscriber site.
This verification can include anonymized demographic information such as specialty, location, and type of practice. The subscriber site then acts upon the verification received. The information entred by the user, while sent by the subscribing site is not accessible by the subscribing site. Thus, the subscribing site cannot create its own database of pre-verified users.
Preferably users are not required to be preregistered, and can gain access by entering identifiers which are checked against official Medical Association records. Preferably, whenever a user accesses a Web site and provides basic demographic data, the image of the sales representative most likely to deal with that user (based on location, zip code, or area of interest, etc.) will appear on the user's screen. The web site gets enough of the data entered by the user to select the proper sales representative, but not enough to target the user with solicitations.
user connects to a web site which contains desired information. When the user attempts to enter an area (or page) of the site with controlled access the pre-issued user name and password are requested. Once this information is entered, the subscribing website sends a secure (encrypted) query to a remote password database server. The supplied information is checked against a verification database. A yes or no secure verification is sent back to the subscriber site.
This verification can include anonymized demographic information such as specialty, location, and type of practice. The subscriber site then acts upon the verification received. The information entred by the user, while sent by the subscribing site is not accessible by the subscribing site. Thus, the subscribing site cannot create its own database of pre-verified users.
Preferably users are not required to be preregistered, and can gain access by entering identifiers which are checked against official Medical Association records. Preferably, whenever a user accesses a Web site and provides basic demographic data, the image of the sales representative most likely to deal with that user (based on location, zip code, or area of interest, etc.) will appear on the user's screen. The web site gets enough of the data entered by the user to select the proper sales representative, but not enough to target the user with solicitations.
Description
Remote Physician Authentica~~ Service Background and Summary of the Invention The present application relates to authentication of computer users requesting controlled information in distributed environments, and more particularly to remote authentication of physicians requesting controlled information across the Internet.
Background: Pharmaceutical and Medical Device Information Communication of professional information in the health care industries is (quite literally) vital, and yet there are severe problems in the legal system which make frank communication among physicians difficult and/or dangerous.
Background: Medical Liability A significant problem with physician communications (especially in the United States) is that doctors and medical care organizations are a favorite target of predatory lawyers. The exposure to lawsuits is so high that liability insurance rates are a major factor in determining the economic viability of professional practices. Consequently, the recommendations of medical insurance companies may be impossible for health care professionals to resist. In this environment any vulnerability which makes it easier for physicians and health care organiza-tions to be attacked by frivolous lawsuits is extremely unwelcome. For this reason, it is undesirable to have physician communications with the vendors of health care products be open for snooping. The necessity for health care professionals to watch every word of communication, out of concenn for attack by frivolous lawsuits, puts a significant damper on a physician's ability to gain access to new medical information, or to openly discuss case studies with colleagues. Since foreign medical suppliers can be subjected to U.S. liability in some cases, this legal problem affects medical companies worldwide.
Background: Patient Confidential Information Health care professionals are constrained in their ability to discuss and release patient confidential information. Such information is usually protected by doctor patient confidentiali-SUE3SI~iTUTE SHEET (RULE 261 z ty because of its extremely sensitive nature. In many jurisdictions a health care professional may be held liable to the patient if -the health care professional allows such information to escape. Nevertheless, such sensitive information is often relevant to discussions of the cases faced by physicians. Even vvithout the patient's name attached, the complete set of patient data may be such as to indicate the identity of the patient and thus permit the escape of sensitive information to a careful snooper. Thus the physician's legal environment is constrained both by the need to obtain new information which may relate to the existing cases, and by the severe legal dangers to the physician in openly transmitting such information.
Background: Federal Regulations Within U.S. jurisdiction, distribution of information on pharmaceuticals and medical devices is potentially subject to regulation by the U.S. Food and Drug Administration (or "The FDA"). Currently the FDA maintains that its rules do not distinguish between promotion aimed at lay persons and those aimed at health care professionals. However, in practice, the FDA applies stricter standards to communications aimed at the lay public than those aimed at "learned intermediaries" such as physicians. In addition to U.S.
regulations, other non-U.S.
national regulatory agencies currently maintain bans on direct-to-consumer advertising.
According to the World Health Organization (WHO), direct consumer promotion of prescription drugs is illegal except in the United States and Morocco.
Background: Marketing The pharmaceutical industry spends more than $15 billion annually marketing to physicians in the United States. Spending on sales and marketing grows every year by almost 10%. Additionally, the 800 member companies which make up the Health Care Industry Marketing Association {an association of medical device manufacturers) spend about $13 billion a year in attempts to reach physicians with information on regulated products.
Currently, pharmaceutical companies utilize several strategies to communicate information about their products to physicians. One such strategy is the use of pharmaceutical representatives to directly contact physicians at their offices. Visits by pharmaceutical representatives typically cost pharmaceutical companies $125-$350 per interaction with a physician.
Another strategy used by pharmaceutical companies is the use of telemarketing.
This strategy has grown to include reverse communications in which a physician is issued an "invitation code" (or "access code"). The code is used to access lectures concerning the latest treatments and protocols over the phone. Even then, each interaction by telemarketing costs between $10 and $50.
Finally, pharmaceutical companies resort to direct mail. However, direct mail can still result in a per physician cost of $10-$30 each. Furthermore, direct mail is the least reliable of the current strategies. It cannot be determined who is actually reached with direct mail advertising. This uncertainty i.s particularly true if the provider has appointed a staff member to read and sort mail. Even if the mail does reach its intended target, the amount of time that SUBSTITUTE SHEET (RULE 26) wo oon~oss PcTius99na2s3 the doctor actually spends with the information and the impact of the information on the doctor's decision making cannot be accurately determined.
Backg_,round: Internet Marketing Health care reform pressures manufacturers of pharmaceuticals and medical devices to bring down the cost of health care. At the same time, the owners or shareholders of such companies create internal pressure to increase profit margins and reduce costs. Marketing expenditures also affect health care costs. The Internet is expected to play a significant part in helping to reduce these ma~~keting costs. The ten leading pharmaceuticals companies have had sites on the world Wide Web since 1996.
In 1997, a study by Find/SVP found that approximately 35% of all American physicians had access to the Internet. This figure exceeded that of the general population which was then at 20%. Internet use among Americans continues to increase at a rate of about 80% per year. These figures suggest that connectivity will be the rule, especially among medical professionals, by the year 2000. Despite the exhibited trend. no pharmaceuti-cal or medical device manufacturer yet uses its World Wide Web site as an important marketing tool for reaching physicians.
Physician's Online (1'OL) operates a market-sponsored Web site accessible by password. POL uses an advertising business model, producing mini-sites within its own Web site for each subscribing company. The result is high maintenance fees coupled with an absence of hands-on control of their information.
Background: The Internet The Internet, which started in the late 1960's, is a vast computer network consisting of many smaller networks that span the entire globe. The Internet has grown exponentially, and millions of users ranging from individuals to corporations now use permanent and dial-up connections to use the Internfa on a daily basis worldwide. The computers or networks of computers connected within tlhe Internet, known as "hosts", allow public access to databases featuring information in nearly every field of expertise and are supported by entities ranging from universities and government to many commercial organizations, including pharmaceutical companies.
The Internet maintains an open structure in which exchanges of information are made cost-free without restriction. The free access format inherent to the Internet, however, presents difficulties for thosf: information providers requiring control over their Internet servers. Consider, for example, a research organization that may want to make certain technical information available on its Internet server to a large group of colleagues around the globe, but the information must be kept confidential. Without means of identifying each client, the organization would not be able to provide information on the network on a confidential or preferential ba:;is. In another situation, a company may want to provide highly specific service tips over its Internet server only to customers having service contracts or accounts.
SUBSTITUTE SHEET (RULE 26) Access control by an ;Internet server is difficult for at least two reasons.
First, when a client sends a request for a file on a remote Internet server, that message is routed or relayed by a Web of computers connected through the Internet until it reaches its destination host.
The client does not necessarily know how its message reaches the server. At the same time, the server makes responses vvithout ever knowing exactly who the client is or what its IP
address is. While the server may be programmed to trace its clients, the task of tracing is often difficult, if not impossible. Secondly, to prevent unwanted intrusion into private local area networks (LAN), system administrators implement various data flow control mechanisms, such as Internet "firewalls", within their networks. An Internet firewall is a software structure which allows a user to reach the Internet while preventing intruders of the outside world from accessing the user's LAN.
Background: Intranets and Extranets An intranet is a smaller version of the Internet that is limited to connections within an organization. Access is limited to the members of the organization, usually by means of a firewall. A firewall acts as a f;ateway that stems the flow of data into and out of the intranet.
An extranet is an intranet that extends access to specific users beyond the firewall.
For instance, a company's intranet may be accessible from remote locations that are not physically on the company premises. A company's catalog and product information, but no other company data, may be accessible to customers. Access to extranets often requires passing a gatekeeper of some sort that only allows access to users with specific information (e.g., a password).
Generally, users can interact on both intranets and extranets by means of the same user-friendly browsers that allow Internet access.
Background: Authentication and Identification Two-way authentication schemes generally involve hand-shaking techniques so that each party may verify he or she is in communication with the desired party regardless of each party's location or the types of devices in use. The problem to be solved is one in which a user communicates with a service that wishes to learn and authenticate the user's identity and vice versa. To clarify the problem, there are three aspects of network security that may be distinguished.
Identification: the way in which a user or service is referenced.
Authentication: the way in which a user may prove his or her identity.
Authorization: a method for determining what a given user may do.
The latter two aspects apply to service providers as well as to users.
A user's identity usually consists of a user name and a realm name. A realm is a SUBS1~'ITUTE SHEET (RULE 26) universe of identities. CompuServe Information Serve (CIS) and America Online (AOL) screen names are two examples of realms. The combination of user name and realm, typically shown as name@realm, identifies a user. Any given service recognizes some particular set of identities. A realm does not have to be large either in number of users or size of service.
5 For example, a single WWW server may have its own realm of users.
Authentication provides the ability to prove identity. When asking to do something for which a user's identity matters, the user may be asked for his or her identity. The service then usually requires the user to prove that identity. To accomplish this, most services use a separate character string as a password. The password is intended to be kept confidential.
If the password given for a particular identity is correct, the user is authenticated. Of course, there are some methods ~of authentication which are much more strict than a username/password regime, e.g., challenge/response type systems. However, a password system is generally reliable for communications in which a medium Level of trustworthy authentication is tolerable.
Authorization refers to the process of determining whether a given user is allowed to do something. For example, ~;rzay the user post a message, or use a confidential service? It is important to realize that authentication and authorization are distinct processes. One relates to proving an identity and the other relates to the properties of an identity.
A service that wishes to authenticate a user requires the user to identify himself or herself and to prove that he or she knows the pass-phrase. Generally, the service prompts the user for the pass-phrase. However, transmitting the plain text pass-phrases through a network compromises security because an eavesdropper may learn the pass-phrase as it travels through the network. X.25 networks have been compromised, and LANs, modem pools, and "The Internet" likewise are not suitalble for plain text pass-phrases due to the eavesdropper problem.
Prompting for the pass-phrase. while sufficient in the past, no longer works for extensive world-wide networks.
Background: Sales Contacts Salesmen play a crucial role in many areas of commerce. Economic theory may treat buyers' decisions as rational, but in practice buying decisions are affected by human contact as well as by rational considerations. (Humans are social animals by nature, and not merely logical processes.) Thus face-~t~-face contact with salesmen is not only a tool for spreading information, but also a way to oprovide the reassuring contact which is part of normal decision-making. This aspect of sales becomes more important in areas where the price of each individual purchase is large, or the cost of possible errors is high, or the pool of qualified buyers is subjected to exten:>ive sales pressure from competing vendors.
Marketing to physicians meets the last two of these criteria, and sometimes meets the first criterion as well (for purchases of capital equipment).
The importance of human contact in the buying process is discussed in the extensive literature on selling; see, e.g., The Sales Bible by Jeffrey Gitomer, and the numerous books cited therein, all of which are hereby incorporated by reference. As these books discuss, one SUBS~~ITUTE SHEET !RULE 261 of the important steps in the process is simply getting a chance to establish a friendly initial contact with the buyer. As these books also discuss extensively, buyers often prefer not to be bothered, and erect various barriers to such initial contact.
In some areas of e-commerce information dissemination must be restricted (as discussed above), and this presents a dilemma which has remained unsolved. If buyers must provide identification before Fretting information. they expose themselves to aggressive sales tactics (such as unwanted phone calls or emails). When wary buyers decline to provide identification, then those buyers will not receive information provided by the seller, even though that information would benefit both buyer and seller. This is inefficient. The present application discloses new ways to address this dilemma.
Remote Physician Authentication Service The present application discloses methods and systems for remote verification of an end user of web page with controlled access. Users are issued a user name and password which can be used to access <my site which subscribes to the described verification system.
I S In practice, a user connects to a web site which contains desired information. When the user attempts to enter an area (or page) of the site with controlled access the pre-issued user name and password are requested. lance this information is entered, the subscribing website sends a secure (encrypted) query to a remote password database server. The supplied information is checked against a verification database. A yes or no verification is sent back to the subscriber site. The verification can also include anonymized demographic information such as specialty, location, and type: of practice. The subscriber site then acts upon the verification received. The information entered by the user, while sent by the subscribing site is not accessible by the subscribing site. Thus, the site cannot create its own database of pre-verified users and the healthcare professional remains in control of his or her information.
The presently preferred; embodiment also contemplates a gateway site that allows users to login at the gateway, and thereby gain access to direct links to limited access areas of subscribing sites.
The present application also discloses a method and architecture wherein computer users who visit a marketing-related Web site may be informed about salespersons in the their area without exposing themsellves to solicitations. Users are often required to enter personal information in order to access. certain areas of Internet Web sites. The disclosed inventions allow users to enter enough personal data for a marketing Web site to later target that user with solicitations, but prevent the Web site owner from accessing most of that data, thus preventing the solicitations.
Users who are registered with the privacy broker ("PVS" in the presently preferred embodiment) are issued passwords and usernames. PVS also keeps other personal data on the user in their database. When a registered user logs in through the PVS
verification system to access limited access areas of .a subscribing Web site, and that user desires marketing related information, the PVS server can draw data from its information already on file about the registered user and send selected parts of that data (e. g., zip code, area of specialty) to the SUBSTITUTE SHEET (RULE 261 subscribing Web site. This information will be enough for the subscribing site to select the correct field sales representative to show the user on their screen, along with contact information relevant to that sales representative.
The disclosed inventions can also be implemented to work for users not registered with PVS. The user is prompted for entry of personal data which is relayed from the marketing related Web site server to another server (the PVS server). This second server filters the data, returning only enough information to the marketing-related Web site server for that site to select a sales representative who is likely to be encountered by the user, depending on the user's geographic location and area of interest or specialization. The sales representative's face, along with other relevant contact information, is displayed for the user.
In an alternative embodiment, the user enters only enough data for the marketing-related Web site to determine the sales representative that would be most likely to deal with the user. That salesperson''s image appears on the user's screen, along with information necessary for the user to corntact the salesperson, if desired. The user need not enter a full address, name, or telephone number, and thus is not exposed to direct solicitation from the salesperson or their company.. Only general location information (e.g., zip code, area code.
or partial phone number) is entered, possibly along with information about areas of specialization or other interests relevant to the selection of a sales representative. In this embodiment, there is no filteriing or masking of the data entered by the user.
The subscribing Web site sees it all; there simply isn't enough of it to identify the user for direct solicitations.
There are several advantages to the present invention. Users who are deterred from visiting a marketing-related 'Web site for fear of encouraging solicitations are no longer deterred, increasing the potential hits on the Web site. Users are also made familiar with the contact person at the company, and may be more likely to choose that vendor over less familiar ones. The user also need not fear that his or her personal data might be sold to other companies for solicitation.
The disclosed inventions also make sales representative information more accessible to remote, vacant, or hard to reach territories. Some areas encounter field sales representatives infrequently or not at all because the area may be on the fringes of territories, sparsely populated, or long distances away. Users who desire information about the easiest sales representative to reach can find that information.
The basic password verification process requires that the user be pre-registered with the verification service. Registration allows the user to be entered into a database and assigned an identification and passwordl. These identifiers, when supplied by the user, are matched on the PVS server for verification. However, a more flexible method of verification that does not require pre-registration can also be used, as disclosed in the present application. A U.S.
physician who has not received a PVS username and password can complete the Rapid Registration Form, which prompts the physician for personal data. This personal data is matched against the masterfile of all U.S. physicians held by the American Medical Association. Correct entry of the requested personal data achieves verification. The Rapid Registration also allows the physician to request a PVS username and password so that the SUBSTITUTE SHEET (RULE 26) usual verification process, i.c:., comparison with the username and password on the PVS
password server, can be used on later visits to PVS subscribing Web sites.
There are many advantages to the disclosed methods. They offer health care marketers confidence that they are in complete compliance with rules that restrict or prohibit promoting prescription drugs to the general public. Patient confidentiality is maintained and the health care professional may research specific protocols, drugs, and treatments.
Malpractice liability under learned-intermediary tort law is reduced. The disclosed business method also opens direct-to-physician communication on the Web without transgressing legal limits on direct consumer communication.
The disclosed methods also provide a verification service to device marketers at a price substantially lower than the cost of creating such a utility in-house.
Registration screens, discouraging to much potential Web site traffic, can be minimized or avoided.
Also, a storehouse of physician information can be established, and publishers and health care communicators can gauge their audiences more carefully. Clinical trials managers can communicate with potential physician investigators with the speed and cost-effectiveness of the Internet and the confidence of the telephone or post. Also. medical educators can use this on-line medium for Continuing Medical Education.
Brief Description of the Drawinss The disclosed embodiments of the present inventions will be described with reference to the accompanying drawings, which show important sample embodiments of the invention and which are incorporated in the specification hereof by reference, wherein:
Figure 1 depicts a bllock diagram of the architecture of the Remote Verification System.
Figure 2 depicts a flowchart of the method of remote verification.
Figure 3 shows a black diagram of a computer system according to the presently preferred embodiment.
Figure 4 shows the ISAPI Application Extension Process flowchart.
Figure 5 shows the ISAPI Filter Process flowchart.
Figure 6 shows a flowchart of the Rapid Registration Process, both with and without a PVS registered user.
Figure 7 depicts an example "welcome" page as seen on the user's browser when they enter the PVS Internet site.
Figure 8 shows an example "sign in" page for PVS users.
Figure 9 shows a sample "pop-up" sales representative page, where the user's data allows the subscribing Web site to display the sales representative most likely to be encountered by the user.
Figures 10 and 11 show the how verification over the Internet can make ordering restricted access products easier.
Detailed Description of the Preferred Embodiments SUBS'TtTUTE SHEET (RULE 26) The numerous innovative teachings of the present application will be described with particular reference to the presently preferred embodiment (by way of example, and not of limitation).
Definitions Following are some of the technical terms which are used in the present application.
Additional definitions can be found in the standard technical dictionaries.
Firewall: A security feature of Internet sites which is aimed at control of data flow.
HTML: Hypertext Markup Language. A format for information transfer made up of standard text .as well as formatting codes which indicate how the page should be displayed in a browser.
HTTP: Hypertext Transfer Protocol. Designed to run primarily over TCP/IP using an Internet setup. where a server issues the data and a client displays or processes it.
Hypertext: A method of linking certain text, pictures or sounds by connections, known as "hypertext IirLks" ("links"), to other pages within the same server or even on other computers within the Internet.
SSL: Secure Sockets Layer. A protocol for secure and authenticated transactions over the Internet.
URL: Uniform Resource Locator. URL's enable a Web browser to go directly to any file held on any Web server.
Web: The World-Wide Web (Web) is a method of accessing information on the Internet which allows a user to navigate the Internet resources intuitively, without IP
addresses or other technical knowledge.
X.25: A packet switching network protocol in which many connections are made over the same physical link.
Remote Physician Authentication In the presently preferred embodiment, the remote authentication system consists of three components. Figure 1 depicts a block diagram of the architecture of the Remote Verification System. The Remote Verification System acts as an Internet notary. Its function is to attest to the identity of incoming users to Web servers which control access to their information and can be positioned anywhere on the Internet.
Passwords In the presently preferred embodiment, the system is designed to verify the passwords of health care professionals vrho seek entry into controlled access sites on the Internet. The term "health care professionals" includes not only physicians, but persons in other regulated or licensed occupations that rely on information concerning pharmaceuticals and medical devices. Such occupations include, for example, dentists. doctors of osteopathy, pharmacists, certain nurses, and other specialist occupations which may exist within the laws of the U.S.
SUBS'T1TUTE SHEET IRULE 261 or other countries. Such sites can be provided by pharmaceutical companies as a marketing tool for new products and othf:r information, and by medical societies as a service to members of their organizations. A user name and password combination is distributed in advance to verified health care professionals. Such information can be distributed via Internet, by mail, ~ and/or by the sales force for a subscribing health care marketing organization. Typically this information comes from the American Medical Association's database of all U.S.
physicians and other public record and professional society databases.
Remote Verification S stem In the presently preferred embodiment, the health care professional (or "user") uses a 10 computer 102 to enter the We:b site 104 of a health care marketer or professional education provider across a first channE:l of communications. A Web site of this son will typically contain more than just health care professionals-only information. For example the site may contain employee rosters, hunnan resource information. etc.
The system consists of several interlocking software elements, supported by routines running on the password verification server. The routines, Common Gateway Interface (or CGI) scripts, are installed on the subscriber's server to handle password and user-name submission transactions and mediate the interaction with the password verification server.
The user name and password are not needed until the user requests entry to a "health care professionals-only" segment of the site 104. At this point, the subscriber's Web site 104 requests the user's user name and password. The Customer Representative function 108 (an executable dwelling on the subscriber's site) is responsible for collecting the user's identifiers.
Upon receipt of the user's information, the subscriber's Web site 104 sends a secure query to a password verification server 106 via the Internet (or other telecommunications link) across a second channel of communications. The query is secured via a proprietary encryption ?5 algorithm. Additionally, an !iSL connection can be established to enhance securitv. The Password Client 110 (a corrvmunications program dwelling on the subscriber's site) is a TCP/IP communications routine which sends the query. It establishes contact with the Password Verification Server 106. The query is an encrypted message containing the subscriber's identity (for billing and verification purposes), a reply IP
address, username and password.
The password verification server 106 contains a communications and database interface. It will receive the Password Client's encrypted message. Then a password database will be searched in order to verify the username/password pair. An encrypted go/no-go ("thumbs up"/"thumbs down") reply is returned to the Password Client 110 across the second communications channel. This reply can include anonymous demographic information such as specialty, location, and type of practice.
The Password Client l 10 at the subscriber's site 104 receives the secure go/no-go signal back from the password verification server 106. The subscriber's Web site 104 admits or rejects the user's request for access to restricted content based on the verification signal received.
Su9sTITUTE SHEET (RULE 281 Information Flow Figure 2 depicts a flowchart of the method of remote verification. The flow of information of the remote vs:rification system will be explained in relation to the software elements comprising the system. First, in the presently preferred embodiment, a health care professional (or "user"), using a computer, makes contact with a subscribing pharmaceutical or medical device manufacturer's Web site (or "subscribing site") (step 202) across a first communications channel. Once the user requests information from a controlled access portion of the subscribing site (a health care professionals-only area in the presently preferred embodiment) (step 204), a.n HTML script requests and collects user name and password information from the user (st:ep 206).
Once the log-on information is collected, a routine, "PVSCIien", prepares a message to send to a password verification server (step 208) across a second communications channel.
In the presently preferred emibodiment, the message comprises the collected user name and password. as well as an identifier to the calling site (subscribing site) for billing, the particular calling page, and a time stamp. After the message is prepared, it is encrypted using the proprietary algorithm described below and sent to a password verification server (step 210).
Additionally, an SSL connection can be established to enhance security. A t t h a password verification server, a routine, "PVServer", decrypts the message and verifies the user name and password received (step 212). In order to decrypt the information, the routine matches the encryption key vvith the calling site. Once decrypted, the routine looks up the user's record in a verificatiion database. The user record, in the presently preferred embodiment, includes: user name, password, specialty code, zip code, type of practice code, and medical education number.
Once verification has taken place, PVServer prepares a response to send to the subscribing site (step 214) across the second communications channel. This message includes:
user name, password, specialty code. zip code, type of practice. and an indication of whether the user is accepted or rejected. The message can also include a short text communication, for example, contact information for users having password problems. Such messages can be tailored to specialty or geography. PVServer then encrypts and sends the response to the subscribing site in a secure nnanner (step 216). The response is secured via a proprietary encryption algorithm. Additionally, an SSL connection can be established to enhance security.
At the subscribing site, PVSCIien receives the response and decrypts it (step 218).
Another routine, "drugs 1 ", executing at the subscribing site is responsible for: welcoming or rejecting the user based on the indication and passing demographic information such as specialty, zip, type of practice: and ME number to subscribing site (step 220).
Figure 7 shows an ex~~rnple of a "Welcome" page. This page welcomes the user and states what PVS has listed a.s the user's zip code and specialty. There are several links provided to the user. The user may update the PVS files kept on the user, visit the American Medical Association's site, or connect directly to several pharmaceutical company sites.
Figure 8 is a sample "Sign-in" page. Users who are already registered with PVS
and have a password and usernamE: may use this page to sign in and gain access to limited access SUBSTITUTE SHEET (RULE 26) areas of pharmaceutical Web sites, and to other PVS "physician only" services.
In this example, a demonstration username "mccormickdk0l " has been entered in the "username"
field. The "password" field shows that a password has been entered as well (represented by asterisks). The user then clicks the "submit" button shown below these two fields, and the username and password will undergo verification. If the identifiers entered match those on the PVS server list of registered users, the user is verified.
Figure 9 shows an example of the "pop-up" sales representative page. In this demonstration, the user sees the SmithKline Beecham products and services page, which gives information about pediatric pharmaceutical products. The image of a person is shown, along with contact information. In actual practice, this would be a real SmithKline Beecham field representative whom thE: user could contact. There is also information about products, with links to full information about each product.
Rapid Registration In the presently prefen~ed embodiment, the user (a health care professional with certain I S personal data recorded on the .American Medical Association masterfile) wishes to enter the secured area of a subscribing Web site. The user may enter the PVS password and username if the user is registered with PVS. However, some health professionals are not registered with PVS, and will consequently not be able to enter the required identifiers. In this case, the user wilt be required to complete the Rapid Registration Form which is reached through a hyperlink.
The Rapid Registration Form requests the users first name, last name, middle initial, year of graduation from medical school, state or country of medical school, date of birth (two digit day, two digit month, four digit year), current zip code for main mailing address, and email address. The user will also have the option of registering with Physician Verification Services, and having a username and password sent to the user. This will allow the user to register by entering only these identifiers, rather than the above mentioned information.
Figure 6 shows a flov~rchart of the verification process. In step 602, the user enters a Web site that has limited access areas which require verification of the user's status in order for the user to enter. The user sees both a rapid registration and a registered user option. If the user has preregistered with PVS and already has a PVS password and username, the user enters these identifiers (step 604). The Web site server sends this data to the PVS server (step 606), which checks the data for a match on the PVS registered user lists (step 608). The PVS
server then returns a verification of the user's status to the Web site (step 610). If the identifiers match, PVS returns a "yes" verification and the user is admitted to the limited access area (step 612).
If the identifiers entered by the user do not match the PVS registered user list, PVS
returns a "no" to the Web site (step 614). If a "no" verification is returned, or if the user otherwise is not registered with PVS, the user may use Rapid Registration (step 618). At this time, the user will also be given the option to register with PVS to obtain a username and password for future use (step G~20). At the Rapid Registration Form page, the user is prompted SUBS'InTUTE SHEET (RULE 26) to enter identifying data. including name, year of graduation from medical school, name of the medical school where the; user graduated, date of birth, zip code, and email address (step 622). The Web site server sends this data to the PVS server for verification (step 624). The PVS server checks the requested identifiers against the American Medical Association's S (AMA's) masterfile (step 62Ei), which is updated periodically on the PVS
server. PVS returns a "yes" or "no" verification (step 628). If the data matches that in the AMA
masterfile, PVS
returns a "yes" verification and the user is admitted to the limited access area (step 612). If the data does not match, PV~S returns a "no" verification and the user is not admitted to the limited access area (step 630)., Encryption Algorithm In the presently preferred embodiment, the encryption algorithm is based on the mathematical principle that:
for any prime P, NP ~rtou P = N ; for all N < P
Based on that result, it can also be shown that 1 S NP'' Mon P = 1 Np~~ Mon P = 1/N
In the presently preferred embodiment, values of P and N are selected to be in the range of 31 to 32 bits in length. Encryption of a message comprises taking three bytes of clear text and appending a fourth byte of random number. A third 32-bit value, A is added to that result and then the entire result is multiplied by N. The result of the multiplication step is then divided by P. T:he remainder of the division constitutes the encrypted message which will be transmitted over the Internet.
During decryption, thc~ encrypted number is multiplied by 1/N and then divided by P.
The value, A, is then subtracted from the remainder. The randomly-generated portions of the result are discarded. The result is the original clear text.
The above method of encryption offers both speed and efficiency. The encryption sends four bytes of encryptea~ data for every three bytes of plain text.
Therefore, there is a relatively smaller (33%) increase in communication volume. Further, encryption and decryption utilize simple mathematical operations allowing for quick processing times.
Preferred Embodiment for Some Operating Systems The routines which handle password and user-name submission transactions and mediate the interaction with the password verification server are described above as being implemented with CGI scripts.. However, the routines can also be implemented with Internet Server Applications (ISAs) and Filters provided by an Internet Server Application Programming Interface. An TSA is a dynamic-link library (DLL), that is, one or more functions that are compiled, linked, and stored separately from the processes that utilize them.
Filters sit between the client and a server and allow special actions to take place. While both CGI scripts and ISAs (and Filters) can perform many of the same services (and all of the same services for the purpose of this application), ISAs and Filters offer certain advantages.
SUBSTITUTE SHEET (RULE 26) WO 00/2?088 PtyTYUS99/22253 The biggest advantage is that an ISA can execute in the same address space as the process that utilizes it. CGI scripts execute as separate processes and therefore require environmental variables to be passed between processes in order for communication to take place.
Additionally, since the calling process is aware of the ISA in memory it can purge the ISA
if it is no longer needed (or has not been called recently) and can preload it for faster execution when called. Any operating systems which supports loadable shared images, such as Windows NTTM for example, can utilize ISAs and Filters.
Detail of a Sample Preferred Embodiment Following is a detailed description of the processes and performance of the ISAPI Application Extension and PVS 1 ISAPI Filter.
The PVSI ISAPI Application Extension The PVS I ISAPI ApFdication Extension is the first element in the verification chain offered by Physician Verificatian Services (PVS) on Web servers utilizing Microsoft Windows NT and the Microsoft Internet Information Server (IIS). Specifically, this program lives on a Web server where there is information that needs to be protected, for example, the Web server of a pharmaceutical company.
In the sample embodiiment, the PVSI ISAPI Application Extension resides in the PVS I.DLL file. Because it is, an executable, it is found in a folder that must be flagged as executable by the IIS. This e~;ecutable code is fired off when, for example, a doctor seeking protected information arrives at the gateway HTML page and fills in the UserName and Password fields of a form and clicks the Submit button.
For example, in a sample structure, the gateway HTML page is found at C:\InetPublwwwrootlpvsl\pas~sword.htm. The executable, in the set of sample files, is found at C:lInetPub\wwwroot\pvsl\fVSI.DLL.
It should be noted that the directory structure here is just an example. It actually can be any arbitrary setup, provided that all of the references and pointers remain consistent.
The PVS1 ISAPI is invoked after the PVS gateway password HTML page is shown to a person browsing for protected information. The person first enters his or her UserName and Password in the appropriate fields. When the Submit button is pressed, the PVS1.DLL
ISAPI Application Extension is fired off, and the user-supplied data is passed to the PVS1.DLL.
The PVSI ISAPI Application extension first checks to see that neither of the UserName or Password fields are empty. If either is empty, the user is shown an error message. Otherwise, the application extension sends the password verification request off to the PVS password server. In order to do this, it needs some additional information, which it gets from a file location hardvvired into the PVSI.DLL program. In the sample embodiment, that file location is C:\PvsClient\pvsl.ini. That folder and that file name must exist on drive C: for the program to work properly. The contents of the initialization file will be described later.
SUBSTITUTE SHEET fRULE 26) Based on the responsE: from the server, the Application Extension displays either an error or a welcome message. Both of those are derived from HTML templates, which wilt be described below. Appropriate entries are made in a log ftle, also to be described below.
If the user has given a correct UserName/Password pair, that user will be issued an HTTP
5 cookie, which will allow the server to identify the user during subsequent HTML requests.
The PVS-issued cookie is valid for four hours. HTML requests for protected information from that computer will be honored during that time period. Any subsequent requests will result in the use:r's browser being directed once again to the password page.
The server's behavior when a user attempts to access a protected site is governed by 10 the other part of the PVS1.DLL program: The PVS1 ISAPI Filter.
The PVS 1 ISAPI Filter The filter portion of the software is a part of the PVS1.DLL which gets loaded at the same time as Internet Infornnation Server. As its name suggests, the PVS1 ISAPI Filter examines every HTML request that passes through the IIS WWW server. If any URL
maps 15 to a folder that has the string; "\PRI" in its path name, the PVS1 ISAPI
Filter regards the information contained in that :folder to be protected. If the URL mapping doesn't contain that string, the filter takes no action at all.
If the folder does cont<~in "\PRI" (incidentally, the test for "\PRI" is not case-sensitive) then the filter checks to see if there is a valid PVS-issued cookie in the HTML request headers. If not, then the user's browser is shown an HTML file named NotYet.htm in the folder immediately above the "\PRI" folder in the directory tree.
If there is a valid cookie, the filter next checks to see if the user's Authorization Bits (which came from the server and were stored in the cookie) match the authorization bits of the protected folder.
A folder's authorization bits are appended to the folder's name in a hexadecimal scheme. The hexadecimal decoding starts immediately after the "\PRI". Hyphens are ignored and can be used to make the code more readable; any other character terminates the string.
A folder with no authorization bit code string can be accessed by any verified user.
If the user's Authorization Bits do not match the string appended to the folder name, the user is presented with the )-iTML page NotAuthorized.htm in the folder immediately above the "1PRI" folder in the directory tree.
Finally, if the validated user's authorization bits match the folder's, then the user is presented with the HTML page that was originally requested.
The "cookie iar"
Every time the PVS1 I:SAPI Filter allows access to a protected file based on the user having a valid cookie and matching authorization bits, it makes an entry in what we call the cookie jar. The cookie jar maintains a list of the most recent UserNames to access protected files, and how many hits there: were. Periodically the filter empties the cookie jar, sending a notification off to the PVS server that it did so.
SUBS'T1TUTE SHEET (RULE 26) Password verification requests, the responses from the PVS server, and cookie jar dump are all logged in a PVS log file on the client server. The log file is described below.
Contents of the PVS1.INI File As mentioned earlier,, the PVS1 ISAPI Application Extension and the PVS1 ISAPI
Filter need some site-dependent information in order to function. Rather than build such information into the software, it is kept in an initialization file.
Here is a sample C:\PVSCL1:ENT\PVS1.INI file:
(pvs 1 ]
SiteID="TestSite"
PasswordServer="demosthenes.verifies.com"
TemplateRoot="c:\inetpub\vv~wwroot\pvs 1 \cgi-bin"
LogRoot="c:lpvsclient"
ServerTimeout=5000 Here is what each line means:
* [pvs 1 ] - Bookkeeping for the system routines which extract information from the file.
* SiteID - This is your site's, identifier, so that PVS can figure out where the request came from. PVS will issue this code, and it should not be altered.
* PasswordServer - This is the name of the computer that processes verification requests.
* TemplateRoot - There are a number of different possible responses that the PVS1.DLL
program can generate. Those responses are derived from HTML templates and the template root tells the PVS1.DLL program where to find those templates. You will probably alter this to match your own Web page directory structure. This can be altered to match a particular web page directory structure.
* LogRoot - the PVS l .DLL, program generates a log of its activity. That log has some information which might be useful to you, and it too will be discussed later.
The LogRoot specifies the folder where the: log files are to be stored.
* ServerTimeout - the number of milliseconds the program waits for a response from the server before resending the request. After four resends it gives up and tells the browser that there was no response. Setting the timeout to 5000 means that the browser will get an error response after twenty seconds.
Information Found in the Log Files.
In the sample embodiment, the log files are maintained in the folder c-log.txt in the folder specified by the LogRoot entry of the c:\pvsclientlpvsl.ini file. The c-log.txt file is only allowed to grow to be 1,000,000 bytes in length, at which point it is renamed c-logl.txt. At that same time, any file already named c-logl.txt replaces any file already named c-log2.txt.
In this fashion, between two and three million bytes of history are maintained, but in a way that doesn't just keep growing forever.
SUBS'faTUTE SHEET (RULE 26) The information in the log files is kept for two reasons. First, it will help in tracking down problems, should there be any. Second, the information is available to the site administrators for review and analysis.
The log file contains a handful of different possible entries. Each line contains a number of different fields, which are identified by number and separated by <tab> characters.
The table of numeric codes (not all of which will be seen in any one c-log.txt entry) is this:
PVS Parameter Values 1: TIMESTAMP: YYYYMMDDHHMMSS.SSS UTC
Background: Pharmaceutical and Medical Device Information Communication of professional information in the health care industries is (quite literally) vital, and yet there are severe problems in the legal system which make frank communication among physicians difficult and/or dangerous.
Background: Medical Liability A significant problem with physician communications (especially in the United States) is that doctors and medical care organizations are a favorite target of predatory lawyers. The exposure to lawsuits is so high that liability insurance rates are a major factor in determining the economic viability of professional practices. Consequently, the recommendations of medical insurance companies may be impossible for health care professionals to resist. In this environment any vulnerability which makes it easier for physicians and health care organiza-tions to be attacked by frivolous lawsuits is extremely unwelcome. For this reason, it is undesirable to have physician communications with the vendors of health care products be open for snooping. The necessity for health care professionals to watch every word of communication, out of concenn for attack by frivolous lawsuits, puts a significant damper on a physician's ability to gain access to new medical information, or to openly discuss case studies with colleagues. Since foreign medical suppliers can be subjected to U.S. liability in some cases, this legal problem affects medical companies worldwide.
Background: Patient Confidential Information Health care professionals are constrained in their ability to discuss and release patient confidential information. Such information is usually protected by doctor patient confidentiali-SUE3SI~iTUTE SHEET (RULE 261 z ty because of its extremely sensitive nature. In many jurisdictions a health care professional may be held liable to the patient if -the health care professional allows such information to escape. Nevertheless, such sensitive information is often relevant to discussions of the cases faced by physicians. Even vvithout the patient's name attached, the complete set of patient data may be such as to indicate the identity of the patient and thus permit the escape of sensitive information to a careful snooper. Thus the physician's legal environment is constrained both by the need to obtain new information which may relate to the existing cases, and by the severe legal dangers to the physician in openly transmitting such information.
Background: Federal Regulations Within U.S. jurisdiction, distribution of information on pharmaceuticals and medical devices is potentially subject to regulation by the U.S. Food and Drug Administration (or "The FDA"). Currently the FDA maintains that its rules do not distinguish between promotion aimed at lay persons and those aimed at health care professionals. However, in practice, the FDA applies stricter standards to communications aimed at the lay public than those aimed at "learned intermediaries" such as physicians. In addition to U.S.
regulations, other non-U.S.
national regulatory agencies currently maintain bans on direct-to-consumer advertising.
According to the World Health Organization (WHO), direct consumer promotion of prescription drugs is illegal except in the United States and Morocco.
Background: Marketing The pharmaceutical industry spends more than $15 billion annually marketing to physicians in the United States. Spending on sales and marketing grows every year by almost 10%. Additionally, the 800 member companies which make up the Health Care Industry Marketing Association {an association of medical device manufacturers) spend about $13 billion a year in attempts to reach physicians with information on regulated products.
Currently, pharmaceutical companies utilize several strategies to communicate information about their products to physicians. One such strategy is the use of pharmaceutical representatives to directly contact physicians at their offices. Visits by pharmaceutical representatives typically cost pharmaceutical companies $125-$350 per interaction with a physician.
Another strategy used by pharmaceutical companies is the use of telemarketing.
This strategy has grown to include reverse communications in which a physician is issued an "invitation code" (or "access code"). The code is used to access lectures concerning the latest treatments and protocols over the phone. Even then, each interaction by telemarketing costs between $10 and $50.
Finally, pharmaceutical companies resort to direct mail. However, direct mail can still result in a per physician cost of $10-$30 each. Furthermore, direct mail is the least reliable of the current strategies. It cannot be determined who is actually reached with direct mail advertising. This uncertainty i.s particularly true if the provider has appointed a staff member to read and sort mail. Even if the mail does reach its intended target, the amount of time that SUBSTITUTE SHEET (RULE 26) wo oon~oss PcTius99na2s3 the doctor actually spends with the information and the impact of the information on the doctor's decision making cannot be accurately determined.
Backg_,round: Internet Marketing Health care reform pressures manufacturers of pharmaceuticals and medical devices to bring down the cost of health care. At the same time, the owners or shareholders of such companies create internal pressure to increase profit margins and reduce costs. Marketing expenditures also affect health care costs. The Internet is expected to play a significant part in helping to reduce these ma~~keting costs. The ten leading pharmaceuticals companies have had sites on the world Wide Web since 1996.
In 1997, a study by Find/SVP found that approximately 35% of all American physicians had access to the Internet. This figure exceeded that of the general population which was then at 20%. Internet use among Americans continues to increase at a rate of about 80% per year. These figures suggest that connectivity will be the rule, especially among medical professionals, by the year 2000. Despite the exhibited trend. no pharmaceuti-cal or medical device manufacturer yet uses its World Wide Web site as an important marketing tool for reaching physicians.
Physician's Online (1'OL) operates a market-sponsored Web site accessible by password. POL uses an advertising business model, producing mini-sites within its own Web site for each subscribing company. The result is high maintenance fees coupled with an absence of hands-on control of their information.
Background: The Internet The Internet, which started in the late 1960's, is a vast computer network consisting of many smaller networks that span the entire globe. The Internet has grown exponentially, and millions of users ranging from individuals to corporations now use permanent and dial-up connections to use the Internfa on a daily basis worldwide. The computers or networks of computers connected within tlhe Internet, known as "hosts", allow public access to databases featuring information in nearly every field of expertise and are supported by entities ranging from universities and government to many commercial organizations, including pharmaceutical companies.
The Internet maintains an open structure in which exchanges of information are made cost-free without restriction. The free access format inherent to the Internet, however, presents difficulties for thosf: information providers requiring control over their Internet servers. Consider, for example, a research organization that may want to make certain technical information available on its Internet server to a large group of colleagues around the globe, but the information must be kept confidential. Without means of identifying each client, the organization would not be able to provide information on the network on a confidential or preferential ba:;is. In another situation, a company may want to provide highly specific service tips over its Internet server only to customers having service contracts or accounts.
SUBSTITUTE SHEET (RULE 26) Access control by an ;Internet server is difficult for at least two reasons.
First, when a client sends a request for a file on a remote Internet server, that message is routed or relayed by a Web of computers connected through the Internet until it reaches its destination host.
The client does not necessarily know how its message reaches the server. At the same time, the server makes responses vvithout ever knowing exactly who the client is or what its IP
address is. While the server may be programmed to trace its clients, the task of tracing is often difficult, if not impossible. Secondly, to prevent unwanted intrusion into private local area networks (LAN), system administrators implement various data flow control mechanisms, such as Internet "firewalls", within their networks. An Internet firewall is a software structure which allows a user to reach the Internet while preventing intruders of the outside world from accessing the user's LAN.
Background: Intranets and Extranets An intranet is a smaller version of the Internet that is limited to connections within an organization. Access is limited to the members of the organization, usually by means of a firewall. A firewall acts as a f;ateway that stems the flow of data into and out of the intranet.
An extranet is an intranet that extends access to specific users beyond the firewall.
For instance, a company's intranet may be accessible from remote locations that are not physically on the company premises. A company's catalog and product information, but no other company data, may be accessible to customers. Access to extranets often requires passing a gatekeeper of some sort that only allows access to users with specific information (e.g., a password).
Generally, users can interact on both intranets and extranets by means of the same user-friendly browsers that allow Internet access.
Background: Authentication and Identification Two-way authentication schemes generally involve hand-shaking techniques so that each party may verify he or she is in communication with the desired party regardless of each party's location or the types of devices in use. The problem to be solved is one in which a user communicates with a service that wishes to learn and authenticate the user's identity and vice versa. To clarify the problem, there are three aspects of network security that may be distinguished.
Identification: the way in which a user or service is referenced.
Authentication: the way in which a user may prove his or her identity.
Authorization: a method for determining what a given user may do.
The latter two aspects apply to service providers as well as to users.
A user's identity usually consists of a user name and a realm name. A realm is a SUBS1~'ITUTE SHEET (RULE 26) universe of identities. CompuServe Information Serve (CIS) and America Online (AOL) screen names are two examples of realms. The combination of user name and realm, typically shown as name@realm, identifies a user. Any given service recognizes some particular set of identities. A realm does not have to be large either in number of users or size of service.
5 For example, a single WWW server may have its own realm of users.
Authentication provides the ability to prove identity. When asking to do something for which a user's identity matters, the user may be asked for his or her identity. The service then usually requires the user to prove that identity. To accomplish this, most services use a separate character string as a password. The password is intended to be kept confidential.
If the password given for a particular identity is correct, the user is authenticated. Of course, there are some methods ~of authentication which are much more strict than a username/password regime, e.g., challenge/response type systems. However, a password system is generally reliable for communications in which a medium Level of trustworthy authentication is tolerable.
Authorization refers to the process of determining whether a given user is allowed to do something. For example, ~;rzay the user post a message, or use a confidential service? It is important to realize that authentication and authorization are distinct processes. One relates to proving an identity and the other relates to the properties of an identity.
A service that wishes to authenticate a user requires the user to identify himself or herself and to prove that he or she knows the pass-phrase. Generally, the service prompts the user for the pass-phrase. However, transmitting the plain text pass-phrases through a network compromises security because an eavesdropper may learn the pass-phrase as it travels through the network. X.25 networks have been compromised, and LANs, modem pools, and "The Internet" likewise are not suitalble for plain text pass-phrases due to the eavesdropper problem.
Prompting for the pass-phrase. while sufficient in the past, no longer works for extensive world-wide networks.
Background: Sales Contacts Salesmen play a crucial role in many areas of commerce. Economic theory may treat buyers' decisions as rational, but in practice buying decisions are affected by human contact as well as by rational considerations. (Humans are social animals by nature, and not merely logical processes.) Thus face-~t~-face contact with salesmen is not only a tool for spreading information, but also a way to oprovide the reassuring contact which is part of normal decision-making. This aspect of sales becomes more important in areas where the price of each individual purchase is large, or the cost of possible errors is high, or the pool of qualified buyers is subjected to exten:>ive sales pressure from competing vendors.
Marketing to physicians meets the last two of these criteria, and sometimes meets the first criterion as well (for purchases of capital equipment).
The importance of human contact in the buying process is discussed in the extensive literature on selling; see, e.g., The Sales Bible by Jeffrey Gitomer, and the numerous books cited therein, all of which are hereby incorporated by reference. As these books discuss, one SUBS~~ITUTE SHEET !RULE 261 of the important steps in the process is simply getting a chance to establish a friendly initial contact with the buyer. As these books also discuss extensively, buyers often prefer not to be bothered, and erect various barriers to such initial contact.
In some areas of e-commerce information dissemination must be restricted (as discussed above), and this presents a dilemma which has remained unsolved. If buyers must provide identification before Fretting information. they expose themselves to aggressive sales tactics (such as unwanted phone calls or emails). When wary buyers decline to provide identification, then those buyers will not receive information provided by the seller, even though that information would benefit both buyer and seller. This is inefficient. The present application discloses new ways to address this dilemma.
Remote Physician Authentication Service The present application discloses methods and systems for remote verification of an end user of web page with controlled access. Users are issued a user name and password which can be used to access <my site which subscribes to the described verification system.
I S In practice, a user connects to a web site which contains desired information. When the user attempts to enter an area (or page) of the site with controlled access the pre-issued user name and password are requested. lance this information is entered, the subscribing website sends a secure (encrypted) query to a remote password database server. The supplied information is checked against a verification database. A yes or no verification is sent back to the subscriber site. The verification can also include anonymized demographic information such as specialty, location, and type: of practice. The subscriber site then acts upon the verification received. The information entered by the user, while sent by the subscribing site is not accessible by the subscribing site. Thus, the site cannot create its own database of pre-verified users and the healthcare professional remains in control of his or her information.
The presently preferred; embodiment also contemplates a gateway site that allows users to login at the gateway, and thereby gain access to direct links to limited access areas of subscribing sites.
The present application also discloses a method and architecture wherein computer users who visit a marketing-related Web site may be informed about salespersons in the their area without exposing themsellves to solicitations. Users are often required to enter personal information in order to access. certain areas of Internet Web sites. The disclosed inventions allow users to enter enough personal data for a marketing Web site to later target that user with solicitations, but prevent the Web site owner from accessing most of that data, thus preventing the solicitations.
Users who are registered with the privacy broker ("PVS" in the presently preferred embodiment) are issued passwords and usernames. PVS also keeps other personal data on the user in their database. When a registered user logs in through the PVS
verification system to access limited access areas of .a subscribing Web site, and that user desires marketing related information, the PVS server can draw data from its information already on file about the registered user and send selected parts of that data (e. g., zip code, area of specialty) to the SUBSTITUTE SHEET (RULE 261 subscribing Web site. This information will be enough for the subscribing site to select the correct field sales representative to show the user on their screen, along with contact information relevant to that sales representative.
The disclosed inventions can also be implemented to work for users not registered with PVS. The user is prompted for entry of personal data which is relayed from the marketing related Web site server to another server (the PVS server). This second server filters the data, returning only enough information to the marketing-related Web site server for that site to select a sales representative who is likely to be encountered by the user, depending on the user's geographic location and area of interest or specialization. The sales representative's face, along with other relevant contact information, is displayed for the user.
In an alternative embodiment, the user enters only enough data for the marketing-related Web site to determine the sales representative that would be most likely to deal with the user. That salesperson''s image appears on the user's screen, along with information necessary for the user to corntact the salesperson, if desired. The user need not enter a full address, name, or telephone number, and thus is not exposed to direct solicitation from the salesperson or their company.. Only general location information (e.g., zip code, area code.
or partial phone number) is entered, possibly along with information about areas of specialization or other interests relevant to the selection of a sales representative. In this embodiment, there is no filteriing or masking of the data entered by the user.
The subscribing Web site sees it all; there simply isn't enough of it to identify the user for direct solicitations.
There are several advantages to the present invention. Users who are deterred from visiting a marketing-related 'Web site for fear of encouraging solicitations are no longer deterred, increasing the potential hits on the Web site. Users are also made familiar with the contact person at the company, and may be more likely to choose that vendor over less familiar ones. The user also need not fear that his or her personal data might be sold to other companies for solicitation.
The disclosed inventions also make sales representative information more accessible to remote, vacant, or hard to reach territories. Some areas encounter field sales representatives infrequently or not at all because the area may be on the fringes of territories, sparsely populated, or long distances away. Users who desire information about the easiest sales representative to reach can find that information.
The basic password verification process requires that the user be pre-registered with the verification service. Registration allows the user to be entered into a database and assigned an identification and passwordl. These identifiers, when supplied by the user, are matched on the PVS server for verification. However, a more flexible method of verification that does not require pre-registration can also be used, as disclosed in the present application. A U.S.
physician who has not received a PVS username and password can complete the Rapid Registration Form, which prompts the physician for personal data. This personal data is matched against the masterfile of all U.S. physicians held by the American Medical Association. Correct entry of the requested personal data achieves verification. The Rapid Registration also allows the physician to request a PVS username and password so that the SUBSTITUTE SHEET (RULE 26) usual verification process, i.c:., comparison with the username and password on the PVS
password server, can be used on later visits to PVS subscribing Web sites.
There are many advantages to the disclosed methods. They offer health care marketers confidence that they are in complete compliance with rules that restrict or prohibit promoting prescription drugs to the general public. Patient confidentiality is maintained and the health care professional may research specific protocols, drugs, and treatments.
Malpractice liability under learned-intermediary tort law is reduced. The disclosed business method also opens direct-to-physician communication on the Web without transgressing legal limits on direct consumer communication.
The disclosed methods also provide a verification service to device marketers at a price substantially lower than the cost of creating such a utility in-house.
Registration screens, discouraging to much potential Web site traffic, can be minimized or avoided.
Also, a storehouse of physician information can be established, and publishers and health care communicators can gauge their audiences more carefully. Clinical trials managers can communicate with potential physician investigators with the speed and cost-effectiveness of the Internet and the confidence of the telephone or post. Also. medical educators can use this on-line medium for Continuing Medical Education.
Brief Description of the Drawinss The disclosed embodiments of the present inventions will be described with reference to the accompanying drawings, which show important sample embodiments of the invention and which are incorporated in the specification hereof by reference, wherein:
Figure 1 depicts a bllock diagram of the architecture of the Remote Verification System.
Figure 2 depicts a flowchart of the method of remote verification.
Figure 3 shows a black diagram of a computer system according to the presently preferred embodiment.
Figure 4 shows the ISAPI Application Extension Process flowchart.
Figure 5 shows the ISAPI Filter Process flowchart.
Figure 6 shows a flowchart of the Rapid Registration Process, both with and without a PVS registered user.
Figure 7 depicts an example "welcome" page as seen on the user's browser when they enter the PVS Internet site.
Figure 8 shows an example "sign in" page for PVS users.
Figure 9 shows a sample "pop-up" sales representative page, where the user's data allows the subscribing Web site to display the sales representative most likely to be encountered by the user.
Figures 10 and 11 show the how verification over the Internet can make ordering restricted access products easier.
Detailed Description of the Preferred Embodiments SUBS'TtTUTE SHEET (RULE 26) The numerous innovative teachings of the present application will be described with particular reference to the presently preferred embodiment (by way of example, and not of limitation).
Definitions Following are some of the technical terms which are used in the present application.
Additional definitions can be found in the standard technical dictionaries.
Firewall: A security feature of Internet sites which is aimed at control of data flow.
HTML: Hypertext Markup Language. A format for information transfer made up of standard text .as well as formatting codes which indicate how the page should be displayed in a browser.
HTTP: Hypertext Transfer Protocol. Designed to run primarily over TCP/IP using an Internet setup. where a server issues the data and a client displays or processes it.
Hypertext: A method of linking certain text, pictures or sounds by connections, known as "hypertext IirLks" ("links"), to other pages within the same server or even on other computers within the Internet.
SSL: Secure Sockets Layer. A protocol for secure and authenticated transactions over the Internet.
URL: Uniform Resource Locator. URL's enable a Web browser to go directly to any file held on any Web server.
Web: The World-Wide Web (Web) is a method of accessing information on the Internet which allows a user to navigate the Internet resources intuitively, without IP
addresses or other technical knowledge.
X.25: A packet switching network protocol in which many connections are made over the same physical link.
Remote Physician Authentication In the presently preferred embodiment, the remote authentication system consists of three components. Figure 1 depicts a block diagram of the architecture of the Remote Verification System. The Remote Verification System acts as an Internet notary. Its function is to attest to the identity of incoming users to Web servers which control access to their information and can be positioned anywhere on the Internet.
Passwords In the presently preferred embodiment, the system is designed to verify the passwords of health care professionals vrho seek entry into controlled access sites on the Internet. The term "health care professionals" includes not only physicians, but persons in other regulated or licensed occupations that rely on information concerning pharmaceuticals and medical devices. Such occupations include, for example, dentists. doctors of osteopathy, pharmacists, certain nurses, and other specialist occupations which may exist within the laws of the U.S.
SUBS'T1TUTE SHEET IRULE 261 or other countries. Such sites can be provided by pharmaceutical companies as a marketing tool for new products and othf:r information, and by medical societies as a service to members of their organizations. A user name and password combination is distributed in advance to verified health care professionals. Such information can be distributed via Internet, by mail, ~ and/or by the sales force for a subscribing health care marketing organization. Typically this information comes from the American Medical Association's database of all U.S.
physicians and other public record and professional society databases.
Remote Verification S stem In the presently preferred embodiment, the health care professional (or "user") uses a 10 computer 102 to enter the We:b site 104 of a health care marketer or professional education provider across a first channE:l of communications. A Web site of this son will typically contain more than just health care professionals-only information. For example the site may contain employee rosters, hunnan resource information. etc.
The system consists of several interlocking software elements, supported by routines running on the password verification server. The routines, Common Gateway Interface (or CGI) scripts, are installed on the subscriber's server to handle password and user-name submission transactions and mediate the interaction with the password verification server.
The user name and password are not needed until the user requests entry to a "health care professionals-only" segment of the site 104. At this point, the subscriber's Web site 104 requests the user's user name and password. The Customer Representative function 108 (an executable dwelling on the subscriber's site) is responsible for collecting the user's identifiers.
Upon receipt of the user's information, the subscriber's Web site 104 sends a secure query to a password verification server 106 via the Internet (or other telecommunications link) across a second channel of communications. The query is secured via a proprietary encryption ?5 algorithm. Additionally, an !iSL connection can be established to enhance securitv. The Password Client 110 (a corrvmunications program dwelling on the subscriber's site) is a TCP/IP communications routine which sends the query. It establishes contact with the Password Verification Server 106. The query is an encrypted message containing the subscriber's identity (for billing and verification purposes), a reply IP
address, username and password.
The password verification server 106 contains a communications and database interface. It will receive the Password Client's encrypted message. Then a password database will be searched in order to verify the username/password pair. An encrypted go/no-go ("thumbs up"/"thumbs down") reply is returned to the Password Client 110 across the second communications channel. This reply can include anonymous demographic information such as specialty, location, and type of practice.
The Password Client l 10 at the subscriber's site 104 receives the secure go/no-go signal back from the password verification server 106. The subscriber's Web site 104 admits or rejects the user's request for access to restricted content based on the verification signal received.
Su9sTITUTE SHEET (RULE 281 Information Flow Figure 2 depicts a flowchart of the method of remote verification. The flow of information of the remote vs:rification system will be explained in relation to the software elements comprising the system. First, in the presently preferred embodiment, a health care professional (or "user"), using a computer, makes contact with a subscribing pharmaceutical or medical device manufacturer's Web site (or "subscribing site") (step 202) across a first communications channel. Once the user requests information from a controlled access portion of the subscribing site (a health care professionals-only area in the presently preferred embodiment) (step 204), a.n HTML script requests and collects user name and password information from the user (st:ep 206).
Once the log-on information is collected, a routine, "PVSCIien", prepares a message to send to a password verification server (step 208) across a second communications channel.
In the presently preferred emibodiment, the message comprises the collected user name and password. as well as an identifier to the calling site (subscribing site) for billing, the particular calling page, and a time stamp. After the message is prepared, it is encrypted using the proprietary algorithm described below and sent to a password verification server (step 210).
Additionally, an SSL connection can be established to enhance security. A t t h a password verification server, a routine, "PVServer", decrypts the message and verifies the user name and password received (step 212). In order to decrypt the information, the routine matches the encryption key vvith the calling site. Once decrypted, the routine looks up the user's record in a verificatiion database. The user record, in the presently preferred embodiment, includes: user name, password, specialty code, zip code, type of practice code, and medical education number.
Once verification has taken place, PVServer prepares a response to send to the subscribing site (step 214) across the second communications channel. This message includes:
user name, password, specialty code. zip code, type of practice. and an indication of whether the user is accepted or rejected. The message can also include a short text communication, for example, contact information for users having password problems. Such messages can be tailored to specialty or geography. PVServer then encrypts and sends the response to the subscribing site in a secure nnanner (step 216). The response is secured via a proprietary encryption algorithm. Additionally, an SSL connection can be established to enhance security.
At the subscribing site, PVSCIien receives the response and decrypts it (step 218).
Another routine, "drugs 1 ", executing at the subscribing site is responsible for: welcoming or rejecting the user based on the indication and passing demographic information such as specialty, zip, type of practice: and ME number to subscribing site (step 220).
Figure 7 shows an ex~~rnple of a "Welcome" page. This page welcomes the user and states what PVS has listed a.s the user's zip code and specialty. There are several links provided to the user. The user may update the PVS files kept on the user, visit the American Medical Association's site, or connect directly to several pharmaceutical company sites.
Figure 8 is a sample "Sign-in" page. Users who are already registered with PVS
and have a password and usernamE: may use this page to sign in and gain access to limited access SUBSTITUTE SHEET (RULE 26) areas of pharmaceutical Web sites, and to other PVS "physician only" services.
In this example, a demonstration username "mccormickdk0l " has been entered in the "username"
field. The "password" field shows that a password has been entered as well (represented by asterisks). The user then clicks the "submit" button shown below these two fields, and the username and password will undergo verification. If the identifiers entered match those on the PVS server list of registered users, the user is verified.
Figure 9 shows an example of the "pop-up" sales representative page. In this demonstration, the user sees the SmithKline Beecham products and services page, which gives information about pediatric pharmaceutical products. The image of a person is shown, along with contact information. In actual practice, this would be a real SmithKline Beecham field representative whom thE: user could contact. There is also information about products, with links to full information about each product.
Rapid Registration In the presently prefen~ed embodiment, the user (a health care professional with certain I S personal data recorded on the .American Medical Association masterfile) wishes to enter the secured area of a subscribing Web site. The user may enter the PVS password and username if the user is registered with PVS. However, some health professionals are not registered with PVS, and will consequently not be able to enter the required identifiers. In this case, the user wilt be required to complete the Rapid Registration Form which is reached through a hyperlink.
The Rapid Registration Form requests the users first name, last name, middle initial, year of graduation from medical school, state or country of medical school, date of birth (two digit day, two digit month, four digit year), current zip code for main mailing address, and email address. The user will also have the option of registering with Physician Verification Services, and having a username and password sent to the user. This will allow the user to register by entering only these identifiers, rather than the above mentioned information.
Figure 6 shows a flov~rchart of the verification process. In step 602, the user enters a Web site that has limited access areas which require verification of the user's status in order for the user to enter. The user sees both a rapid registration and a registered user option. If the user has preregistered with PVS and already has a PVS password and username, the user enters these identifiers (step 604). The Web site server sends this data to the PVS server (step 606), which checks the data for a match on the PVS registered user lists (step 608). The PVS
server then returns a verification of the user's status to the Web site (step 610). If the identifiers match, PVS returns a "yes" verification and the user is admitted to the limited access area (step 612).
If the identifiers entered by the user do not match the PVS registered user list, PVS
returns a "no" to the Web site (step 614). If a "no" verification is returned, or if the user otherwise is not registered with PVS, the user may use Rapid Registration (step 618). At this time, the user will also be given the option to register with PVS to obtain a username and password for future use (step G~20). At the Rapid Registration Form page, the user is prompted SUBS'InTUTE SHEET (RULE 26) to enter identifying data. including name, year of graduation from medical school, name of the medical school where the; user graduated, date of birth, zip code, and email address (step 622). The Web site server sends this data to the PVS server for verification (step 624). The PVS server checks the requested identifiers against the American Medical Association's S (AMA's) masterfile (step 62Ei), which is updated periodically on the PVS
server. PVS returns a "yes" or "no" verification (step 628). If the data matches that in the AMA
masterfile, PVS
returns a "yes" verification and the user is admitted to the limited access area (step 612). If the data does not match, PV~S returns a "no" verification and the user is not admitted to the limited access area (step 630)., Encryption Algorithm In the presently preferred embodiment, the encryption algorithm is based on the mathematical principle that:
for any prime P, NP ~rtou P = N ; for all N < P
Based on that result, it can also be shown that 1 S NP'' Mon P = 1 Np~~ Mon P = 1/N
In the presently preferred embodiment, values of P and N are selected to be in the range of 31 to 32 bits in length. Encryption of a message comprises taking three bytes of clear text and appending a fourth byte of random number. A third 32-bit value, A is added to that result and then the entire result is multiplied by N. The result of the multiplication step is then divided by P. T:he remainder of the division constitutes the encrypted message which will be transmitted over the Internet.
During decryption, thc~ encrypted number is multiplied by 1/N and then divided by P.
The value, A, is then subtracted from the remainder. The randomly-generated portions of the result are discarded. The result is the original clear text.
The above method of encryption offers both speed and efficiency. The encryption sends four bytes of encryptea~ data for every three bytes of plain text.
Therefore, there is a relatively smaller (33%) increase in communication volume. Further, encryption and decryption utilize simple mathematical operations allowing for quick processing times.
Preferred Embodiment for Some Operating Systems The routines which handle password and user-name submission transactions and mediate the interaction with the password verification server are described above as being implemented with CGI scripts.. However, the routines can also be implemented with Internet Server Applications (ISAs) and Filters provided by an Internet Server Application Programming Interface. An TSA is a dynamic-link library (DLL), that is, one or more functions that are compiled, linked, and stored separately from the processes that utilize them.
Filters sit between the client and a server and allow special actions to take place. While both CGI scripts and ISAs (and Filters) can perform many of the same services (and all of the same services for the purpose of this application), ISAs and Filters offer certain advantages.
SUBSTITUTE SHEET (RULE 26) WO 00/2?088 PtyTYUS99/22253 The biggest advantage is that an ISA can execute in the same address space as the process that utilizes it. CGI scripts execute as separate processes and therefore require environmental variables to be passed between processes in order for communication to take place.
Additionally, since the calling process is aware of the ISA in memory it can purge the ISA
if it is no longer needed (or has not been called recently) and can preload it for faster execution when called. Any operating systems which supports loadable shared images, such as Windows NTTM for example, can utilize ISAs and Filters.
Detail of a Sample Preferred Embodiment Following is a detailed description of the processes and performance of the ISAPI Application Extension and PVS 1 ISAPI Filter.
The PVSI ISAPI Application Extension The PVS I ISAPI ApFdication Extension is the first element in the verification chain offered by Physician Verificatian Services (PVS) on Web servers utilizing Microsoft Windows NT and the Microsoft Internet Information Server (IIS). Specifically, this program lives on a Web server where there is information that needs to be protected, for example, the Web server of a pharmaceutical company.
In the sample embodiiment, the PVSI ISAPI Application Extension resides in the PVS I.DLL file. Because it is, an executable, it is found in a folder that must be flagged as executable by the IIS. This e~;ecutable code is fired off when, for example, a doctor seeking protected information arrives at the gateway HTML page and fills in the UserName and Password fields of a form and clicks the Submit button.
For example, in a sample structure, the gateway HTML page is found at C:\InetPublwwwrootlpvsl\pas~sword.htm. The executable, in the set of sample files, is found at C:lInetPub\wwwroot\pvsl\fVSI.DLL.
It should be noted that the directory structure here is just an example. It actually can be any arbitrary setup, provided that all of the references and pointers remain consistent.
The PVS1 ISAPI is invoked after the PVS gateway password HTML page is shown to a person browsing for protected information. The person first enters his or her UserName and Password in the appropriate fields. When the Submit button is pressed, the PVS1.DLL
ISAPI Application Extension is fired off, and the user-supplied data is passed to the PVS1.DLL.
The PVSI ISAPI Application extension first checks to see that neither of the UserName or Password fields are empty. If either is empty, the user is shown an error message. Otherwise, the application extension sends the password verification request off to the PVS password server. In order to do this, it needs some additional information, which it gets from a file location hardvvired into the PVSI.DLL program. In the sample embodiment, that file location is C:\PvsClient\pvsl.ini. That folder and that file name must exist on drive C: for the program to work properly. The contents of the initialization file will be described later.
SUBSTITUTE SHEET fRULE 26) Based on the responsE: from the server, the Application Extension displays either an error or a welcome message. Both of those are derived from HTML templates, which wilt be described below. Appropriate entries are made in a log ftle, also to be described below.
If the user has given a correct UserName/Password pair, that user will be issued an HTTP
5 cookie, which will allow the server to identify the user during subsequent HTML requests.
The PVS-issued cookie is valid for four hours. HTML requests for protected information from that computer will be honored during that time period. Any subsequent requests will result in the use:r's browser being directed once again to the password page.
The server's behavior when a user attempts to access a protected site is governed by 10 the other part of the PVS1.DLL program: The PVS1 ISAPI Filter.
The PVS 1 ISAPI Filter The filter portion of the software is a part of the PVS1.DLL which gets loaded at the same time as Internet Infornnation Server. As its name suggests, the PVS1 ISAPI Filter examines every HTML request that passes through the IIS WWW server. If any URL
maps 15 to a folder that has the string; "\PRI" in its path name, the PVS1 ISAPI
Filter regards the information contained in that :folder to be protected. If the URL mapping doesn't contain that string, the filter takes no action at all.
If the folder does cont<~in "\PRI" (incidentally, the test for "\PRI" is not case-sensitive) then the filter checks to see if there is a valid PVS-issued cookie in the HTML request headers. If not, then the user's browser is shown an HTML file named NotYet.htm in the folder immediately above the "\PRI" folder in the directory tree.
If there is a valid cookie, the filter next checks to see if the user's Authorization Bits (which came from the server and were stored in the cookie) match the authorization bits of the protected folder.
A folder's authorization bits are appended to the folder's name in a hexadecimal scheme. The hexadecimal decoding starts immediately after the "\PRI". Hyphens are ignored and can be used to make the code more readable; any other character terminates the string.
A folder with no authorization bit code string can be accessed by any verified user.
If the user's Authorization Bits do not match the string appended to the folder name, the user is presented with the )-iTML page NotAuthorized.htm in the folder immediately above the "1PRI" folder in the directory tree.
Finally, if the validated user's authorization bits match the folder's, then the user is presented with the HTML page that was originally requested.
The "cookie iar"
Every time the PVS1 I:SAPI Filter allows access to a protected file based on the user having a valid cookie and matching authorization bits, it makes an entry in what we call the cookie jar. The cookie jar maintains a list of the most recent UserNames to access protected files, and how many hits there: were. Periodically the filter empties the cookie jar, sending a notification off to the PVS server that it did so.
SUBS'T1TUTE SHEET (RULE 26) Password verification requests, the responses from the PVS server, and cookie jar dump are all logged in a PVS log file on the client server. The log file is described below.
Contents of the PVS1.INI File As mentioned earlier,, the PVS1 ISAPI Application Extension and the PVS1 ISAPI
Filter need some site-dependent information in order to function. Rather than build such information into the software, it is kept in an initialization file.
Here is a sample C:\PVSCL1:ENT\PVS1.INI file:
(pvs 1 ]
SiteID="TestSite"
PasswordServer="demosthenes.verifies.com"
TemplateRoot="c:\inetpub\vv~wwroot\pvs 1 \cgi-bin"
LogRoot="c:lpvsclient"
ServerTimeout=5000 Here is what each line means:
* [pvs 1 ] - Bookkeeping for the system routines which extract information from the file.
* SiteID - This is your site's, identifier, so that PVS can figure out where the request came from. PVS will issue this code, and it should not be altered.
* PasswordServer - This is the name of the computer that processes verification requests.
* TemplateRoot - There are a number of different possible responses that the PVS1.DLL
program can generate. Those responses are derived from HTML templates and the template root tells the PVS1.DLL program where to find those templates. You will probably alter this to match your own Web page directory structure. This can be altered to match a particular web page directory structure.
* LogRoot - the PVS l .DLL, program generates a log of its activity. That log has some information which might be useful to you, and it too will be discussed later.
The LogRoot specifies the folder where the: log files are to be stored.
* ServerTimeout - the number of milliseconds the program waits for a response from the server before resending the request. After four resends it gives up and tells the browser that there was no response. Setting the timeout to 5000 means that the browser will get an error response after twenty seconds.
Information Found in the Log Files.
In the sample embodiment, the log files are maintained in the folder c-log.txt in the folder specified by the LogRoot entry of the c:\pvsclientlpvsl.ini file. The c-log.txt file is only allowed to grow to be 1,000,000 bytes in length, at which point it is renamed c-logl.txt. At that same time, any file already named c-logl.txt replaces any file already named c-log2.txt.
In this fashion, between two and three million bytes of history are maintained, but in a way that doesn't just keep growing forever.
SUBS'faTUTE SHEET (RULE 26) The information in the log files is kept for two reasons. First, it will help in tracking down problems, should there be any. Second, the information is available to the site administrators for review and analysis.
The log file contains a handful of different possible entries. Each line contains a number of different fields, which are identified by number and separated by <tab> characters.
The table of numeric codes (not all of which will be seen in any one c-log.txt entry) is this:
PVS Parameter Values 1: TIMESTAMP: YYYYMMDDHHMMSS.SSS UTC
2: VERSION: Version code of client software 3: USER ID: The UserName:
4: PASSWORD_QUERY: Outgoing password 5: PASSWORD_OK: Response from server 6: PASSWORD NG: Response from server 7: PHARM,SITE: Site code from the PVS1.INI file 8: SERVER NAME: Computer name of the client server 9: REMOTE~HOST: As reported by the HTTP headers 10: REMOTE ADDRESS: A,s reported by the HTTP headers 11: TABLE: Indicates in which PVS table a UserName was found 13: COUNTRY: From the UserName's address 14: ZIPCODE: From the Use;rName's address 15: SPECIALTY: UserName's AMA self designated medical specialty*
16: TOP: UserName's AMA type of practice*
18: CITY: Frorn the UserNarne's address 19: STATE: From the UserName's address 20: SYSTEMMESSAGE: HTML text string from the PVS Server 21: COOKIE JAR: A cookie jar dump 22: FLAGS: Flags from client to PVS server (not yet implemented) 23: TIMEOUT: Indicates that the server didn't respond to a password request 24: MPA: UserName's AMA Major Professional Activity*
25: PRIMARYPE: UserNames AMA Primary Employment*
26: AUTHORIZATIONBITS: Username's Authorization Bits *These are standard codes used by the American Medical Association in its Physician Masterfile. PVS provides interpretive tables where required.
A very typical one is the Password Request entry:
1=19990505210552.972 2=1 :3=davisr0l 4=******* 22=0 7=TestSite 8=xanadu.verifies.com 9=10.149.10.100 10=10.149.10.100.
This line is interpreted as follows: It means that at 1999-May-5 at 21:05:52.972 Universal Time a password request was initiated by software version 1. It indicates that * the username is "davisr0l ", * this is a password verification request, * the flags for this transaction are 0, SUBS'nTUTE SHEET (RULE 26) * the SiteID from the pvsl.ini file is "TestSite", * the server's name is "xanadu.veries.com", * the remote browser's host name is "10.149.10.100"
* and the remote browser's 1CI' address is "10.149.10.100".
There are a several possible responses which could follow this request entry in the log. If the PVS server is not responding, the response will be repeated three additional times, and will then be followed by 1=19990505212552.474 23--TIMEOUT
If the PVS password server doesn't recognize the UserName or the Password the response would look something like this:
1=19990505210553.457 3=d;avisr0l 6=NG
If the PVS password server does recognize the UserName and password, the response is more extensive:
1=19990505210553.457 3-= davisr0l 5=OK 11=1 13=USA 14=35401 15=GP 16=020 18=TUSCALOOSA 19=AL 24=OFF 25=01I 26=1 The decode of this entry:
At 1999-May-05 at 21:05:53.457 UTC this response for UserName "davisr0l" was received.
It indicates that * the UserName was found in PVS Table 1 (which is the AMA data file), * the country is "USA", * the ZIP code is "35401 ", * the AMA specialty is "GP", * the AMA Type of Practice is "020", * the City is "TUSCALOOS,A.", * the state is "AL", * the AMA Major Professional Activity is "OFF", * the AMA Primary Employment is "011"
* and the PVS Authorization Bits for this user are "1 ".
Another possibility for a c~lo~g entry is a dump of the cookie jar. Such an entry would look like this:
1=19990505211017.002 2=1 7=TestSite 8=xanadu.verifies.com 21=davisr01,3;
As before, this entry identifies the time, the software level, and the location. (Perhaps it should be emphasized that on any one server, the "7=" and "8=" entries will always be the same. But this is a copy of the information being sent to the PVS Password server, and those fields serve to identify where the information is coming from.) The "21="
entry consists of UserName/count pairs separated by semicolons. This entry indicates that since the last cookie jar dump, UserName "davisr0l" accessed three protected pages.
PVS HTML TemplatEa In the sample embodument. there are a number of HTML files which need to exist or be generated in order for the verification process to be accomplished.
SUBSTITUTE SHEET tRULE 261 The PASSWORD.HTM file: This file doesn't have to have any particular name. It can be found in any number of places in a Web site's structure (provided that they are not "1PRI"
locations), and, indeed, doesn't have to have any particular form except that the data foam must match the one on the PVS sample. Its purpose is to invoke the PVS1 ISAPI
Application Extension and generate a request to the PVS Password Server.
\TemplateRoot\needpw.htm: As its name suggests, this file must be found in the TemplateRoot specified in the C:\PVSCLIElVTIPVSI.INI file. This page gets displayed by the Application Extension when either the UserID or the UserID2 fields from the PASS-WORD.HTM page are empt3r when the Submit button is clicked.
\TemplateRoot\timeout.htm: 'This page is displayed to the user when the HTML
server is unable to get a response frc>rn the PVS Password Server. The PVSI ISAPI
Application Extension will try four times at intervals specified by the ServerTimeout parameter in the PVS 1.INI file.
lTemplateRootlpwnog_ood htm: This page is displayed to the user when the PVS
Password Server sends back a "Not Verified" response.
\TemplateRootlpwokav.htm: This page is displayed to the user when the PVS
Password Server sends back a "Username/Password verified" response.
\path\NotYet.htm: There can be any number of NotYet.htm files; there must be one in each folder that has a subfolder named "\PRI". The \path\NotYet.htm file is displayed when an unverified user attempts to access a Web page stored in a folder below lpathlpri\.
\pathlNotAuthorized.htm: Similar to the \path\NotYet.htm file, this one is displayed when a verified user attempts to access a "\PRI-xx" folder when the user doesn't have an Authoriza-tion Bit which matches the hexadecimal "-xx" code of the folder. There must be one such NotAuthorized.htm file in each folder immediately above each \path\pri-xx1 folder.
HTML Template Customization Each site can put whatever HTML information might be desired into the various template HTML files. The PVS template files can be modified slightly based on the information that comes back from the PVS Password Server.
The modification is based on replacing a particular unusual text siring ("!=DUBNER") in the HTML template files with the numerically-coded response data from the PVS Password Server. As a specific example, the pwokay.htm file might contain the following HTML text string:
The password entered with User ID !=DUBNER3 was determined to be correct. You are located in !=DUBNER18, !=DUBNER19 DUBNER14. The system message for today is !=DUBNER20.
The actual text that would be generated and seen by the user would have the various !=DUBNER fields replaced b:y their numerical equivalents as reported by the PVS Password Server, specifically, they would be replaced by the UserName, the City, State, and ZIP code, and the system message.
SU8ST1TUTE SHEET (RULE 261 Having described the; system in that detail, it might be useful to summarize it graphically;
When a user clicks "Submit" on the password page, it starts the PVS1 ISAPI
Application Extension: Please refer to Figure 4, the PVS1 ISAPI Application Extension 5 Flowchart.
Meanwhile, the PVSI. ISAPI Filter is checking every URL request that the server receives, as shown in Figure 5.
While following these: flowcharts, it should be kept in mind that many events are controlled by information found in the C:\PVSCLIENT\PVS1.INI initialization file, and that 10 many of the events are logged in the \LOG;ROOT\C-LOG.TXT file as they occur.
Figure 4 begins with 'the user submitting a username and a password (step 402). The application extension checks for missing identifiers (step 404). Missing identifiers prompt an error message display (step 406). Otherwise, the request is sent to the PVS
Server (step 408}.
If a response is not returned in the allotted time (step 410) then the timeout is logged (step I S 412) and displayed (step 414). If the response is timely, it is checked for a match in the database (step 416). A non-match will return a "no good" display (steps 418 and 420). If the response is OK'd, a PVS cookie is issued to the user (step 422) and an acceptance message is displayed (step 424).
Figure S shows the PVS1 ISAPI Filter Process. First the URL request is checked (step 20 502). If it is time to dump the cookie jar (step 504) then a new process to send a cookie jar to the PVS Server is spawned (step 506). If it is not time to dump the cookie jar, the URL
is checked for a "\PRI" string (step 508). If not, then the Web page is processed normally (step 510). If so, the user is checked for a valid cookie (step 512). If the user has no valid cookie, the filter displays the \PathlNotYet.html (step 5I4). If the user still has a valid cookie, then the filter checks the \Pri for -xx authorization suffix {step 516). If there is a suffix. then the user's cookie bits are checked against the \Pri-xx bits (step 518). If they do not match.
then a non-authorization page is displayed (step 520). If they do match, then the username is accumulated in the cookie jar (step 522). The Web server is then allowed to process the requested page (step 524).
System Context Figure 3 shows a block diagram of a computer system 300 which can be used for implementation of a client o:r server used in the presently preferred embodiment. In this example, the computer system includes: user input devices (e.g. keyboard 335 and mouse 340); at least one microprocessor 325 which is operatively connected to receive inputs from said input device, through an interface manager chip 330 (which also provides an interface to the various ports); a power supply 305 which is connected to draw power from AC mains and provide DC voltage to the computer system 300 components; a memory (e.g.
flash or non-volatile memory 355 and RAM 360), which is accessible by the microprocessor; a data output device (e.g. display 3'.50 and video display adapter card 345) which is connected to output data generated by microprocessor; and a magnetic disk drive 370 which is read-write SUBSTITUTE SHEET (RULE 26) accessible, through an interface unit 365, by the microprocessor. In the presently preferred embodiment, the routines described which execute the method reside in RAM 360 and are executed by the microprocessor 325.
Optionally, of course, many other components can be included, and this configuration is not definitive by any means. For example, the computer may also include a CD-ROM
drive 380 and floppy disk drive ("FDD") 375 which may interface to the disk interface controller 365. Additionally, >r2 cache 385 may be added to speed data access from the disk drives to the microprocessor, and a PCMCIA 390 slot accommodates peripheral enhancements.
Alternative Embodiment In addition to verification services, the password verification server 106 and the Password Client 110 can be configured to be in constant communication. Such communica-tion will allow messages other than short text messages to be displayed to health care professionals. For instance. 'the system can operate as a rapid-notification service for users.
passing messages of particul~~r importance to a particular user once it is known that the user is connected with a particular subscribing site.
Alternative Embodiment In an alternative embodiment, the function of the verification services described can be extended to digital signature-like verifications. For example, prescription orders can be delivered on-line to mail order or local pharmacies. The use of such a verification and delivery service would help to eliminate the need for both a paper prescription, which can be forged or lost, and faxing bet~a~een a physician's office and a pharmacy. In addition, the time for a delivery of a mail-order prescription can be reduced due to the immediate delivery of the prescription authorization to the mail-order pharmacy via the Internet.
Figures 10 depict the present process of physician-initiated sampling. The physician requests a sample requiring verification of the physicians identity and status as a licensed physician (step 1002). The sample is to be sent to the physician (step 1004) or to a patient (step 1006). If sent to the physician, it is to be sent either by the physician's field sales representative (step 1008) or by courier (step 1010). Patient deliveries are by courier (step 1012) in this model. If sent by sales representative to the physician, an automated business reply card (BRC) is used (step 1014). This is a system that produces an electronic form with fields for the physician's information needed by the pharmacy. The BRC is returned to the pharmaceutical company for action by the field sales force representative (step 1020), who does the actual distribution of the sample.
If the sample is to be sent to the physician or patient via courier, then an online form with faxed signature is used. An online form with the relevant physician's information (step 1016) or with the physician's and the patient's information {step 1018) is sent directly to a sample fulfillment house (a pharmaceutical company or an agent of one), who distributes the samples to the doctor (step 1022) or the patient (step 1024). The online form has fields for the physician's (or the physiciian's and patient's) information like the BRC, but also generates SUBSTITUTE SHEET fRULE 261 a form for the doctor's signature to be returned to the pharmacy by fax. The physician fills in the relevant fields of the electronic form, which creates a suspense file at the fulfillment house, awaiting a faxed signature by the doctor. Once complete with signature, the samples are sent.
In many jurisdiction:>, an actual signature is required for the legal ordering of prescription drugs. The presently disclosed embodiment of the invention creates an alternative to this method of verification by substituting an "e-signature" for the online form and faxed signature. Figure 11 shows ttue same process for physician-initiated sampling, but steps 1016 and 1018 are replaced by steps 1102 and 1104--using e-signatures instead of faxed signatures.
The presently disclosed embodiment of the invention, by verifying the identity and status of a computer user as a physici2uY, obviates the need for a faxed signature.
Though presently this would not fulfill any legal requirements for an actual signature, it would fulfill proposed rules for electronic signatures proposed in the Federal Register, Wednesday, August 12, 1998, p. 43241, "Department of Health and Human Services, Office of the Secretary, 45 CFR part 142. Security and e-signature Standards;
Proposed Rule." These proposed requirements suggest standards for e-signature ordering of prescription drugs. The three primary requirements are message integrity, non-repudiation, and authentication.
Message integrity means that i:he message cannot be tampered with or viewed by non-intended recipients. This can be fulfilled by using a secured sockets layer (SSL) in the communication.
Non-repudiation (meaning a user cannot deny having sent the message) and authentication (verifying the origin of the data) are achieved by the presently disclosed embodiment of the invention. Thus, the present disclosed embodiment coupled with an SSL fulfills the three criteria of the proposed e-signature standards.
Alternative Embodiment In an alternative embodiment, the user first visits the PVS Web site and enters the PVS usernarne and password. From there, the user can link directly to the controlled access areas of physician only Web sites with hyperlinks on the PVS site. The hyperlinks to limited access areas from the PVS site may be reached after logging in at the PVS site with the PVS
username and password. These hyperlinks will then take the user directly to the limited access areas, without having to go through the PVS verification again.
Alternative Embodiment In another alternative embodiment, subscribing Web site servers may retain passwords and usernames locally in their storage. This allows faster verification, eliminating the need to directly access PVS for every verification. Frequent or recent visitors to a Web site may be verified with the local memory of their usernames and passwords. The subscribing Web sites are prevented from seeing the personal data of the users either by contract or by PVS
software stored locally designed to prevent access.
Modifications and Variations SUBS'T1TUTE SHEET !RULE 26) As will be recognized 'by those skilled in the art, the innovative concepts described in the present application can be modified and varied over a tremendous range of applications, and accordingly the scope of patented subject matter is not limited by any of the specific exemplary teachings given.
In the presently preferred embodiment, a method and system of physician verification are disclosed. However, these services will support not only marketing of regulated products to physicians, but also on-line Continuing Medical Education, professional publishing on-line for physicians, and recruitment for clinical trials. In addition, any type of controlled access information can make use ol" the remote verification system and method described herein.
I 0 In the presently preferred embodiment, a proprietary encryption algorithm is described.
However, there are many encryption schemes available such as PGP, RSA, etc.
Most if not all of these encryption schemes can be adapted for use with the system and method described herein.
Optionally, secure lacking relationships (public-key relationships) can be used to completely prevent vendors i:rom cracking the PVS front-end software and gaining access to the secure data.
In another contemplated alternative, the professionals accessing a vendor site can be allowed to simply click on a button to give the vendor their complete identification data.
A computer system for implementation of the presently preferred embodiment is described. The hardware which comprises the system can be any combination of available processors and operating systems. Such systems can include, for example, L3nix boxes, IBM
PC compatible, and Macintosh computer systems.
SUBSTITUTE SHEET iRULE 26)
16: TOP: UserName's AMA type of practice*
18: CITY: Frorn the UserNarne's address 19: STATE: From the UserName's address 20: SYSTEMMESSAGE: HTML text string from the PVS Server 21: COOKIE JAR: A cookie jar dump 22: FLAGS: Flags from client to PVS server (not yet implemented) 23: TIMEOUT: Indicates that the server didn't respond to a password request 24: MPA: UserName's AMA Major Professional Activity*
25: PRIMARYPE: UserNames AMA Primary Employment*
26: AUTHORIZATIONBITS: Username's Authorization Bits *These are standard codes used by the American Medical Association in its Physician Masterfile. PVS provides interpretive tables where required.
A very typical one is the Password Request entry:
1=19990505210552.972 2=1 :3=davisr0l 4=******* 22=0 7=TestSite 8=xanadu.verifies.com 9=10.149.10.100 10=10.149.10.100.
This line is interpreted as follows: It means that at 1999-May-5 at 21:05:52.972 Universal Time a password request was initiated by software version 1. It indicates that * the username is "davisr0l ", * this is a password verification request, * the flags for this transaction are 0, SUBS'nTUTE SHEET (RULE 26) * the SiteID from the pvsl.ini file is "TestSite", * the server's name is "xanadu.veries.com", * the remote browser's host name is "10.149.10.100"
* and the remote browser's 1CI' address is "10.149.10.100".
There are a several possible responses which could follow this request entry in the log. If the PVS server is not responding, the response will be repeated three additional times, and will then be followed by 1=19990505212552.474 23--TIMEOUT
If the PVS password server doesn't recognize the UserName or the Password the response would look something like this:
1=19990505210553.457 3=d;avisr0l 6=NG
If the PVS password server does recognize the UserName and password, the response is more extensive:
1=19990505210553.457 3-= davisr0l 5=OK 11=1 13=USA 14=35401 15=GP 16=020 18=TUSCALOOSA 19=AL 24=OFF 25=01I 26=1 The decode of this entry:
At 1999-May-05 at 21:05:53.457 UTC this response for UserName "davisr0l" was received.
It indicates that * the UserName was found in PVS Table 1 (which is the AMA data file), * the country is "USA", * the ZIP code is "35401 ", * the AMA specialty is "GP", * the AMA Type of Practice is "020", * the City is "TUSCALOOS,A.", * the state is "AL", * the AMA Major Professional Activity is "OFF", * the AMA Primary Employment is "011"
* and the PVS Authorization Bits for this user are "1 ".
Another possibility for a c~lo~g entry is a dump of the cookie jar. Such an entry would look like this:
1=19990505211017.002 2=1 7=TestSite 8=xanadu.verifies.com 21=davisr01,3;
As before, this entry identifies the time, the software level, and the location. (Perhaps it should be emphasized that on any one server, the "7=" and "8=" entries will always be the same. But this is a copy of the information being sent to the PVS Password server, and those fields serve to identify where the information is coming from.) The "21="
entry consists of UserName/count pairs separated by semicolons. This entry indicates that since the last cookie jar dump, UserName "davisr0l" accessed three protected pages.
PVS HTML TemplatEa In the sample embodument. there are a number of HTML files which need to exist or be generated in order for the verification process to be accomplished.
SUBSTITUTE SHEET tRULE 261 The PASSWORD.HTM file: This file doesn't have to have any particular name. It can be found in any number of places in a Web site's structure (provided that they are not "1PRI"
locations), and, indeed, doesn't have to have any particular form except that the data foam must match the one on the PVS sample. Its purpose is to invoke the PVS1 ISAPI
Application Extension and generate a request to the PVS Password Server.
\TemplateRoot\needpw.htm: As its name suggests, this file must be found in the TemplateRoot specified in the C:\PVSCLIElVTIPVSI.INI file. This page gets displayed by the Application Extension when either the UserID or the UserID2 fields from the PASS-WORD.HTM page are empt3r when the Submit button is clicked.
\TemplateRoot\timeout.htm: 'This page is displayed to the user when the HTML
server is unable to get a response frc>rn the PVS Password Server. The PVSI ISAPI
Application Extension will try four times at intervals specified by the ServerTimeout parameter in the PVS 1.INI file.
lTemplateRootlpwnog_ood htm: This page is displayed to the user when the PVS
Password Server sends back a "Not Verified" response.
\TemplateRootlpwokav.htm: This page is displayed to the user when the PVS
Password Server sends back a "Username/Password verified" response.
\path\NotYet.htm: There can be any number of NotYet.htm files; there must be one in each folder that has a subfolder named "\PRI". The \path\NotYet.htm file is displayed when an unverified user attempts to access a Web page stored in a folder below lpathlpri\.
\pathlNotAuthorized.htm: Similar to the \path\NotYet.htm file, this one is displayed when a verified user attempts to access a "\PRI-xx" folder when the user doesn't have an Authoriza-tion Bit which matches the hexadecimal "-xx" code of the folder. There must be one such NotAuthorized.htm file in each folder immediately above each \path\pri-xx1 folder.
HTML Template Customization Each site can put whatever HTML information might be desired into the various template HTML files. The PVS template files can be modified slightly based on the information that comes back from the PVS Password Server.
The modification is based on replacing a particular unusual text siring ("!=DUBNER") in the HTML template files with the numerically-coded response data from the PVS Password Server. As a specific example, the pwokay.htm file might contain the following HTML text string:
The password entered with User ID !=DUBNER3 was determined to be correct. You are located in !=DUBNER18, !=DUBNER19 DUBNER14. The system message for today is !=DUBNER20.
The actual text that would be generated and seen by the user would have the various !=DUBNER fields replaced b:y their numerical equivalents as reported by the PVS Password Server, specifically, they would be replaced by the UserName, the City, State, and ZIP code, and the system message.
SU8ST1TUTE SHEET (RULE 261 Having described the; system in that detail, it might be useful to summarize it graphically;
When a user clicks "Submit" on the password page, it starts the PVS1 ISAPI
Application Extension: Please refer to Figure 4, the PVS1 ISAPI Application Extension 5 Flowchart.
Meanwhile, the PVSI. ISAPI Filter is checking every URL request that the server receives, as shown in Figure 5.
While following these: flowcharts, it should be kept in mind that many events are controlled by information found in the C:\PVSCLIENT\PVS1.INI initialization file, and that 10 many of the events are logged in the \LOG;ROOT\C-LOG.TXT file as they occur.
Figure 4 begins with 'the user submitting a username and a password (step 402). The application extension checks for missing identifiers (step 404). Missing identifiers prompt an error message display (step 406). Otherwise, the request is sent to the PVS
Server (step 408}.
If a response is not returned in the allotted time (step 410) then the timeout is logged (step I S 412) and displayed (step 414). If the response is timely, it is checked for a match in the database (step 416). A non-match will return a "no good" display (steps 418 and 420). If the response is OK'd, a PVS cookie is issued to the user (step 422) and an acceptance message is displayed (step 424).
Figure S shows the PVS1 ISAPI Filter Process. First the URL request is checked (step 20 502). If it is time to dump the cookie jar (step 504) then a new process to send a cookie jar to the PVS Server is spawned (step 506). If it is not time to dump the cookie jar, the URL
is checked for a "\PRI" string (step 508). If not, then the Web page is processed normally (step 510). If so, the user is checked for a valid cookie (step 512). If the user has no valid cookie, the filter displays the \PathlNotYet.html (step 5I4). If the user still has a valid cookie, then the filter checks the \Pri for -xx authorization suffix {step 516). If there is a suffix. then the user's cookie bits are checked against the \Pri-xx bits (step 518). If they do not match.
then a non-authorization page is displayed (step 520). If they do match, then the username is accumulated in the cookie jar (step 522). The Web server is then allowed to process the requested page (step 524).
System Context Figure 3 shows a block diagram of a computer system 300 which can be used for implementation of a client o:r server used in the presently preferred embodiment. In this example, the computer system includes: user input devices (e.g. keyboard 335 and mouse 340); at least one microprocessor 325 which is operatively connected to receive inputs from said input device, through an interface manager chip 330 (which also provides an interface to the various ports); a power supply 305 which is connected to draw power from AC mains and provide DC voltage to the computer system 300 components; a memory (e.g.
flash or non-volatile memory 355 and RAM 360), which is accessible by the microprocessor; a data output device (e.g. display 3'.50 and video display adapter card 345) which is connected to output data generated by microprocessor; and a magnetic disk drive 370 which is read-write SUBSTITUTE SHEET (RULE 26) accessible, through an interface unit 365, by the microprocessor. In the presently preferred embodiment, the routines described which execute the method reside in RAM 360 and are executed by the microprocessor 325.
Optionally, of course, many other components can be included, and this configuration is not definitive by any means. For example, the computer may also include a CD-ROM
drive 380 and floppy disk drive ("FDD") 375 which may interface to the disk interface controller 365. Additionally, >r2 cache 385 may be added to speed data access from the disk drives to the microprocessor, and a PCMCIA 390 slot accommodates peripheral enhancements.
Alternative Embodiment In addition to verification services, the password verification server 106 and the Password Client 110 can be configured to be in constant communication. Such communica-tion will allow messages other than short text messages to be displayed to health care professionals. For instance. 'the system can operate as a rapid-notification service for users.
passing messages of particul~~r importance to a particular user once it is known that the user is connected with a particular subscribing site.
Alternative Embodiment In an alternative embodiment, the function of the verification services described can be extended to digital signature-like verifications. For example, prescription orders can be delivered on-line to mail order or local pharmacies. The use of such a verification and delivery service would help to eliminate the need for both a paper prescription, which can be forged or lost, and faxing bet~a~een a physician's office and a pharmacy. In addition, the time for a delivery of a mail-order prescription can be reduced due to the immediate delivery of the prescription authorization to the mail-order pharmacy via the Internet.
Figures 10 depict the present process of physician-initiated sampling. The physician requests a sample requiring verification of the physicians identity and status as a licensed physician (step 1002). The sample is to be sent to the physician (step 1004) or to a patient (step 1006). If sent to the physician, it is to be sent either by the physician's field sales representative (step 1008) or by courier (step 1010). Patient deliveries are by courier (step 1012) in this model. If sent by sales representative to the physician, an automated business reply card (BRC) is used (step 1014). This is a system that produces an electronic form with fields for the physician's information needed by the pharmacy. The BRC is returned to the pharmaceutical company for action by the field sales force representative (step 1020), who does the actual distribution of the sample.
If the sample is to be sent to the physician or patient via courier, then an online form with faxed signature is used. An online form with the relevant physician's information (step 1016) or with the physician's and the patient's information {step 1018) is sent directly to a sample fulfillment house (a pharmaceutical company or an agent of one), who distributes the samples to the doctor (step 1022) or the patient (step 1024). The online form has fields for the physician's (or the physiciian's and patient's) information like the BRC, but also generates SUBSTITUTE SHEET fRULE 261 a form for the doctor's signature to be returned to the pharmacy by fax. The physician fills in the relevant fields of the electronic form, which creates a suspense file at the fulfillment house, awaiting a faxed signature by the doctor. Once complete with signature, the samples are sent.
In many jurisdiction:>, an actual signature is required for the legal ordering of prescription drugs. The presently disclosed embodiment of the invention creates an alternative to this method of verification by substituting an "e-signature" for the online form and faxed signature. Figure 11 shows ttue same process for physician-initiated sampling, but steps 1016 and 1018 are replaced by steps 1102 and 1104--using e-signatures instead of faxed signatures.
The presently disclosed embodiment of the invention, by verifying the identity and status of a computer user as a physici2uY, obviates the need for a faxed signature.
Though presently this would not fulfill any legal requirements for an actual signature, it would fulfill proposed rules for electronic signatures proposed in the Federal Register, Wednesday, August 12, 1998, p. 43241, "Department of Health and Human Services, Office of the Secretary, 45 CFR part 142. Security and e-signature Standards;
Proposed Rule." These proposed requirements suggest standards for e-signature ordering of prescription drugs. The three primary requirements are message integrity, non-repudiation, and authentication.
Message integrity means that i:he message cannot be tampered with or viewed by non-intended recipients. This can be fulfilled by using a secured sockets layer (SSL) in the communication.
Non-repudiation (meaning a user cannot deny having sent the message) and authentication (verifying the origin of the data) are achieved by the presently disclosed embodiment of the invention. Thus, the present disclosed embodiment coupled with an SSL fulfills the three criteria of the proposed e-signature standards.
Alternative Embodiment In an alternative embodiment, the user first visits the PVS Web site and enters the PVS usernarne and password. From there, the user can link directly to the controlled access areas of physician only Web sites with hyperlinks on the PVS site. The hyperlinks to limited access areas from the PVS site may be reached after logging in at the PVS site with the PVS
username and password. These hyperlinks will then take the user directly to the limited access areas, without having to go through the PVS verification again.
Alternative Embodiment In another alternative embodiment, subscribing Web site servers may retain passwords and usernames locally in their storage. This allows faster verification, eliminating the need to directly access PVS for every verification. Frequent or recent visitors to a Web site may be verified with the local memory of their usernames and passwords. The subscribing Web sites are prevented from seeing the personal data of the users either by contract or by PVS
software stored locally designed to prevent access.
Modifications and Variations SUBS'T1TUTE SHEET !RULE 26) As will be recognized 'by those skilled in the art, the innovative concepts described in the present application can be modified and varied over a tremendous range of applications, and accordingly the scope of patented subject matter is not limited by any of the specific exemplary teachings given.
In the presently preferred embodiment, a method and system of physician verification are disclosed. However, these services will support not only marketing of regulated products to physicians, but also on-line Continuing Medical Education, professional publishing on-line for physicians, and recruitment for clinical trials. In addition, any type of controlled access information can make use ol" the remote verification system and method described herein.
I 0 In the presently preferred embodiment, a proprietary encryption algorithm is described.
However, there are many encryption schemes available such as PGP, RSA, etc.
Most if not all of these encryption schemes can be adapted for use with the system and method described herein.
Optionally, secure lacking relationships (public-key relationships) can be used to completely prevent vendors i:rom cracking the PVS front-end software and gaining access to the secure data.
In another contemplated alternative, the professionals accessing a vendor site can be allowed to simply click on a button to give the vendor their complete identification data.
A computer system for implementation of the presently preferred embodiment is described. The hardware which comprises the system can be any combination of available processors and operating systems. Such systems can include, for example, L3nix boxes, IBM
PC compatible, and Macintosh computer systems.
SUBSTITUTE SHEET iRULE 26)
Claims (22)
1. A method of facilitating communication between users and subscribing sites, comprising the steps of:
authenticating qualified users to said subscribing sites, while concealing sufficient information about said users to preclude said subscribing sites from initiating solicitations of said users.
authenticating qualified users to said subscribing sites, while concealing sufficient information about said users to preclude said subscribing sites from initiating solicitations of said users.
2. The method of Claim 1, wherein said communication link is encrypted.
3. The method of Claim 1, further comprising the step of also providing said subscribing sites with limited information about said users relevant to marketing to said users.
4. A system for secured communications between healthcare professionals and subscribing Internet web sites containing controlled access information, comprising:
a first communications channel between a healthcare worker's computer and one of a plurality of subscribing sites containing information requiring controlled access;
and a second communications channel between said subscribing sites and a verification server;
wherein said second communication channel is cryptographically protected, using at least one cryptographic algorithm which is not used in said first communication channel;
wherein said verification server releases authorizations to said subscribing sites only on a per-session basis, and does not release blocks of user authentication data.
a first communications channel between a healthcare worker's computer and one of a plurality of subscribing sites containing information requiring controlled access;
and a second communications channel between said subscribing sites and a verification server;
wherein said second communication channel is cryptographically protected, using at least one cryptographic algorithm which is not used in said first communication channel;
wherein said verification server releases authorizations to said subscribing sites only on a per-session basis, and does not release blocks of user authentication data.
5. The system of Claim 4, wherein said communications take place over the Internet.
6. The system of Claim 4, wherein said first communications channel implements a secured sockets layer protocol.
7. A secure medical information transaction system, comprising:
a plurality of subscribing sites;
a plurality of end users; and a secure verification server wherein ones of said subscribing sites can access said verification server using crypto-graphically protected requests, and thereby provide secure access for authorized users to communicate with said subscribing sites, with information which may include patient confidential information and/or administration whose dissemination which is restricted by a regulatory agency.
a plurality of subscribing sites;
a plurality of end users; and a secure verification server wherein ones of said subscribing sites can access said verification server using crypto-graphically protected requests, and thereby provide secure access for authorized users to communicate with said subscribing sites, with information which may include patient confidential information and/or administration whose dissemination which is restricted by a regulatory agency.
8. The system of Claim 7, wherein said end users are licensed healthcare professionals.
9. The system of Claim 7, wherein said subscribing sites communicate with said verification server over the Internet.
10. A method of facilitating communications with licensed health care professionals who are subject to a duty of confidentiality, comprising the steps of:
when access to controlled information is requested from a subscribing site by one of said professionals, requesting verification for that access from a secure server site which has a compre-hensive authorization list, and if said secure server site provides verification, then permitting said access for a limited time only.
when access to controlled information is requested from a subscribing site by one of said professionals, requesting verification for that access from a secure server site which has a compre-hensive authorization list, and if said secure server site provides verification, then permitting said access for a limited time only.
11. The method of Claim 10, wherein said comprehensive authorization list is not downloaded to said subscribing site.
12. The method of Claim 10, wherein limited anonymous information about said health care professional is also sent to said subscribing site upon said verification.
13. The method of Claim 10, wherein said verification occurs over the Internet.
14. A method of brokering privacy for Internet access to confidential marketing information by licensed health care professionals who are subject to a duty of confidentiality, comprising the steps of:
permitting subscribing sites to obtain short-term verification of attempted Internet accesses by one of said professionals, with reference to a database which is not fully accessible to said subscribing sites; and also preventing said subscribing sites from downloading said database; and also under at least some circumstances, preventing said subscribing sites from using informa-tion obtained from said attempted Internet accesses to launch solicitations to said professionals.
permitting subscribing sites to obtain short-term verification of attempted Internet accesses by one of said professionals, with reference to a database which is not fully accessible to said subscribing sites; and also preventing said subscribing sites from downloading said database; and also under at least some circumstances, preventing said subscribing sites from using informa-tion obtained from said attempted Internet accesses to launch solicitations to said professionals.
15. The method of Claim 14. wherein anonymous information about said health care provider is also sent to said subscribing site upon said verification.
16. A method of combining e-commerce with field sales, comprising the steps of when a computer user attempts to access a marketing-related Internet site, obtaining location information related to that user; and displaying an image of selected field sales representatives who may be encountered by the user;
wherein the marketing-related Internet site does not receive enough information about said user to launch solicitations to said user.
wherein the marketing-related Internet site does not receive enough information about said user to launch solicitations to said user.
17. The method of Claim 16, wherein other marketing-related information is gathered from said user.
18. The method of Claim 16, wherein said marketing-related Internet site is prevented from seeing some of said location information entered by said user.
19. The method of Claim 16, wherein said location information is collected by a second server that is not the first server.
20. A method of facilitating communication between licensed health care professionals and subscribing Web sites, the Web sites containing secured areas, comprising the steps of:
when the health care professional attempts to access said secured areas of the subscribing Web sites, allowing said health care professional to either provide previously assigned identifiers, or provide other identifying data;
verifying said previously assigned identifiers or said other identifying data;
allowing said health care professional access to said secured area upon verification of said previously assigned identifiers or said other identifying data.
when the health care professional attempts to access said secured areas of the subscribing Web sites, allowing said health care professional to either provide previously assigned identifiers, or provide other identifying data;
verifying said previously assigned identifiers or said other identifying data;
allowing said health care professional access to said secured area upon verification of said previously assigned identifiers or said other identifying data.
21. The method of Claim 20, wherein said previously assigned identifiers or said other identifying data are verified by a separate server that does not contain said subscribing Web site.
22. The method of Claim 20, wherein if said health care professional does not enter previously assigned identifiers, said health care professional is allowed to request assignment of identifiers for future verification.
Applications Claiming Priority (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10683898P | 1998-11-03 | 1998-11-03 | |
US24830899A | 1999-02-11 | 1999-02-11 | |
US09/248,308 | 1999-02-11 | ||
US60/106,838 | 1999-02-11 | ||
PCT/US1999/022253 WO2000027088A2 (en) | 1998-11-03 | 1999-09-24 | Remote physician authentication service |
Publications (1)
Publication Number | Publication Date |
---|---|
CA2346709A1 true CA2346709A1 (en) | 2000-05-11 |
Family
ID=26804081
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002346709A Abandoned CA2346709A1 (en) | 1998-11-03 | 1999-09-24 | Remote physician authentication service |
Country Status (5)
Country | Link |
---|---|
EP (1) | EP1145526A2 (en) |
JP (1) | JP2002529839A (en) |
AU (1) | AU1095800A (en) |
CA (1) | CA2346709A1 (en) |
WO (1) | WO2000027088A2 (en) |
Families Citing this family (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002024390A (en) * | 2000-07-06 | 2002-01-25 | Kobayashi Pharmaceut Co Ltd | On-line shopping system |
US7373524B2 (en) | 2004-02-24 | 2008-05-13 | Covelight Systems, Inc. | Methods, systems and computer program products for monitoring user behavior for a server application |
JPWO2011040023A1 (en) * | 2009-09-29 | 2013-02-21 | パナソニック株式会社 | Encryption device, decryption device, encryption method, decryption method, and encryption / decryption system |
US9196157B2 (en) | 2010-02-25 | 2015-11-24 | AT&T Mobolity II LLC | Transportation analytics employing timed fingerprint location information |
US9053513B2 (en) | 2010-02-25 | 2015-06-09 | At&T Mobility Ii Llc | Fraud analysis for a location aware transaction |
US9008684B2 (en) | 2010-02-25 | 2015-04-14 | At&T Mobility Ii Llc | Sharing timed fingerprint location information |
US9009629B2 (en) | 2010-12-01 | 2015-04-14 | At&T Mobility Ii Llc | Motion-based user interface feature subsets |
US9462497B2 (en) | 2011-07-01 | 2016-10-04 | At&T Mobility Ii Llc | Subscriber data analysis and graphical rendering |
US9519043B2 (en) | 2011-07-21 | 2016-12-13 | At&T Mobility Ii Llc | Estimating network based locating error in wireless networks |
US8897802B2 (en) | 2011-07-21 | 2014-11-25 | At&T Mobility Ii Llc | Selection of a radio access technology resource based on radio access technology resource historical information |
US8762048B2 (en) | 2011-10-28 | 2014-06-24 | At&T Mobility Ii Llc | Automatic travel time and routing determinations in a wireless network |
US8909247B2 (en) | 2011-11-08 | 2014-12-09 | At&T Mobility Ii Llc | Location based sharing of a network access credential |
US8970432B2 (en) | 2011-11-28 | 2015-03-03 | At&T Mobility Ii Llc | Femtocell calibration for timing based locating systems |
US9026133B2 (en) | 2011-11-28 | 2015-05-05 | At&T Mobility Ii Llc | Handset agent calibration for timing based locating systems |
US8925104B2 (en) | 2012-04-13 | 2014-12-30 | At&T Mobility Ii Llc | Event driven permissive sharing of information |
US9094929B2 (en) | 2012-06-12 | 2015-07-28 | At&T Mobility Ii Llc | Event tagging for mobile networks |
US9046592B2 (en) | 2012-06-13 | 2015-06-02 | At&T Mobility Ii Llc | Timed fingerprint locating at user equipment |
US9326263B2 (en) | 2012-06-13 | 2016-04-26 | At&T Mobility Ii Llc | Site location determination using crowd sourced propagation delay and location data |
US8938258B2 (en) | 2012-06-14 | 2015-01-20 | At&T Mobility Ii Llc | Reference based location information for a wireless network |
US8897805B2 (en) | 2012-06-15 | 2014-11-25 | At&T Intellectual Property I, L.P. | Geographic redundancy determination for time based location information in a wireless radio network |
US9408174B2 (en) | 2012-06-19 | 2016-08-02 | At&T Mobility Ii Llc | Facilitation of timed fingerprint mobile device locating |
US8892054B2 (en) | 2012-07-17 | 2014-11-18 | At&T Mobility Ii Llc | Facilitation of delay error correction in timing-based location systems |
US9351223B2 (en) | 2012-07-25 | 2016-05-24 | At&T Mobility Ii Llc | Assignment of hierarchical cell structures employing geolocation techniques |
US9351111B1 (en) | 2015-03-06 | 2016-05-24 | At&T Mobility Ii Llc | Access to mobile location related information |
US10516972B1 (en) | 2018-06-01 | 2019-12-24 | At&T Intellectual Property I, L.P. | Employing an alternate identifier for subscription access to mobile location information |
CN112437066B (en) * | 2020-11-12 | 2023-02-03 | 四川省肿瘤医院 | Sensitive data processing system and method for identity recognition and digital authentication |
-
1999
- 1999-09-24 WO PCT/US1999/022253 patent/WO2000027088A2/en not_active Application Discontinuation
- 1999-09-24 CA CA002346709A patent/CA2346709A1/en not_active Abandoned
- 1999-09-24 AU AU10958/00A patent/AU1095800A/en not_active Abandoned
- 1999-09-24 JP JP2000580352A patent/JP2002529839A/en active Pending
- 1999-09-24 EP EP99954660A patent/EP1145526A2/en not_active Withdrawn
Also Published As
Publication number | Publication date |
---|---|
WO2000027088A2 (en) | 2000-05-11 |
EP1145526A2 (en) | 2001-10-17 |
AU1095800A (en) | 2000-05-22 |
WO2000027088A3 (en) | 2000-08-31 |
JP2002529839A (en) | 2002-09-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20020120573A1 (en) | Secure extranet operation with open access for qualified medical professional | |
CA2346709A1 (en) | Remote physician authentication service | |
Rose et al. | Current technological impediments to business-to-consumer electronic commerce | |
US6862610B2 (en) | Method and apparatus for verifying the identity of individuals | |
US7941849B2 (en) | System and method for audit tracking | |
US8793804B2 (en) | Computer implemented method, computer system and nontransitory computer readable storage medium having HTTP module | |
JP3762882B2 (en) | Internet server access management and monitoring system | |
US20010054155A1 (en) | Privacy and security method and system for a World-Wide-Web site | |
US20010034709A1 (en) | Anonymous and private browsing of web-sites through private portals | |
US20090113518A1 (en) | Method for Establishing a Person as a User in a System | |
US20020010776A1 (en) | Method and apparatus for integrating distributed shared services system | |
Halamka et al. | A WWW implementation of national recommendations for protecting electronic health information | |
WO2001031543A1 (en) | Method and apparatus for anonymous data profiling | |
US20030065727A1 (en) | Systems and methods for providing secured electronic messaging | |
US20040078312A1 (en) | Method and apparatus for providing comprehensive educational and financial services | |
US6996619B2 (en) | Network service | |
Schroeder | Wired for business | |
KR20000072433A (en) | Anti-hacking Technique using mobile data terminal and temporary password | |
JP2004334433A (en) | Anonymization method, user identifier management method, anonymization device, anonymization program and program storage medium, for online service | |
US7093281B2 (en) | Casual access application with context sensitive pin authentication | |
Knorr et al. | Towards a secure web-based healthcare application | |
Barber | The Internet and electronic commerce | |
JP2003515226A (en) | Legal information distribution system and method | |
DeWitt | Usability issues with security of electronic mail | |
KR20020004365A (en) | Method for offer to electronic mail service through internet |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
FZDE | Discontinued |